Mailing List Archive: RSyslog: users

rsyslog as non-root user

1 2

View All

Index | Next | Previous | View Threaded

michael at maymann

Jan 31, 2012, 6:01 AM

Post #1 of 37 (451 views)
Permalink

rsyslog as non-root user

Hi,

I have now setup a 6.3.6-devel rsyslog server that is working fine running
as root.
I would like to run it as non-root user as my logfiles are located on NFS
(and root export of NFS is generally not a good idea !).

Here is my rsyslog.conf:
#LOAD MODULES
$ModLoad imudp
$UDPServerRun 514
$UDPServerAddress 127.0.0.1
$ModLoad imtcp
$InputTCPServerRun 514
#SET DESTINATION FOR LOGS
$template
DYNmessages,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages"
$template
DYNsecure,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure"
$template
DYNmaillog,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog"
$template DYNcron,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron"
$template
DYNspooler,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler"
$template
DYNboot,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log"
$template DYNtraps,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps"
#SET LOGGING CONDITIONS
if $syslogseverity <= '6' then ?DYNmessages
if $syslogfacility-text == 'authpriv' then ?DYNsecure
if $syslogfacility-text == 'mail' then ?DYNmaillog
if $syslogfacility-text == 'cron' then ?DYNcron
if $syslogseverity-text == 'crit' then ?DYNspooler
if $syslogfacility-text == 'local7' then ?DYNboot
if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
then ?DYNtraps

Here is my logfile when I try to start rsyslog as a non-root user:
2012-01-31T15:45:52.997693+02:00 <hostname> rsyslogd: [origin
software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-info="
http://www.rsyslog.com"] start
2012-01-31T15:45:52.997294+02:00 <hostname> rsyslogd: bind: Permission
denied
2012-01-31T15:45:52.997369+02:00 <hostname> rsyslogd: bind: Permission
denied
2012-01-31T15:45:52.997374+02:00 <hostname> rsyslogd: No UDP listen socket
could successfully be initialized, message reception via UDP disabled.
2012-01-31T15:45:52.997376+02:00 <hostname> rsyslogd: imudp: no listeners
could be started, input not activated.
2012-01-31T15:45:52.997379+02:00 <hostname> rsyslogd3: activation of module
imudp failed [try http://www.rsyslog.com/e/-3 ]
2012-01-31T15:45:52.997643+02:00 <hostname> rsyslogd-2077: Could not create
tcp listener, ignoring port 514. [try http://www.rsyslog.com/e/2077 ]

So permissions to bind and sockets seems to be the problem...

1. Is it possible to make rsyslog write logfiles as a non-root user - if
yes: how ?
2a. Is it possible to add permissions for non-root user to run rsyslog
server - if yes: how ?
2b. How do I start rsyslog during boot as non-root user - can chkconfig do
this ? do I need to edit /etc/init.d/rsyslog - if yes: how ?

Thanks in advance :-) !
~maymann
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

rgerhards at hq

Jan 31, 2012, 6:05 AM

Post #2 of 37 (436 views)
Permalink

Re: rsyslog as non-root user [In reply to]

The right approach is to use the permission drop features of rsyslog to make
it itself run as non-root. I v6, it will run as root only to open critical
things (like the UDP ports) and then drops privileges (in a way that never
can be undone without a full restart).

HTH
Rainer

> -----Original Message-----
> From: rsyslog-bounces [at] lists [mailto:rsyslog-
> bounces [at] lists] On Behalf Of Michael Maymann
> Sent: Tuesday, January 31, 2012 3:02 PM
> To: rsyslog [at] lists
> Subject: [rsyslog] rsyslog as non-root user
>
> Hi,
>
> I have now setup a 6.3.6-devel rsyslog server that is working fine running
as
> root.
> I would like to run it as non-root user as my logfiles are located on NFS
(and
> root export of NFS is generally not a good idea !).
>
> Here is my rsyslog.conf:
> #LOAD MODULES
> $ModLoad imudp
> $UDPServerRun 514
> $UDPServerAddress 127.0.0.1
> $ModLoad imtcp
> $InputTCPServerRun 514
> #SET DESTINATION FOR LOGS
> $template
> DYNmessages,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$
> MONTH%_messages"
> $template
> DYNsecure,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MO
> NTH%_secure"
> $template
> DYNmaillog,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MO
> NTH%_maillog"
> $template
> DYNcron,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONT
> H%_cron"
> $template
> DYNspooler,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MO
> NTH%_spooler"
> $template
> DYNboot,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONT
> H%_boot.log"
> $template
> DYNtraps,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONT
> H%_traps"
> #SET LOGGING CONDITIONS
> if $syslogseverity <= '6' then ?DYNmessages if $syslogfacility-text ==
> 'authpriv' then ?DYNsecure if $syslogfacility-text == 'mail' then
?DYNmaillog if
> $syslogfacility-text == 'cron' then ?DYNcron if $syslogseverity-text ==
'crit'
> then ?DYNspooler if $syslogfacility-text == 'local7' then ?DYNboot if
> $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
> then ?DYNtraps
>
> Here is my logfile when I try to start rsyslog as a non-root user:
> 2012-01-31T15:45:52.997693+02:00 <hostname> rsyslogd: [origin
> software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-info="
> http://www.rsyslog.com"] start
> 2012-01-31T15:45:52.997294+02:00 <hostname> rsyslogd: bind: Permission
> denied
> 2012-01-31T15:45:52.997369+02:00 <hostname> rsyslogd: bind: Permission
> denied
> 2012-01-31T15:45:52.997374+02:00 <hostname> rsyslogd: No UDP listen
> socket could successfully be initialized, message reception via UDP
disabled.
> 2012-01-31T15:45:52.997376+02:00 <hostname> rsyslogd: imudp: no listeners
> could be started, input not activated.
> 2012-01-31T15:45:52.997379+02:00 <hostname> rsyslogd3: activation of
> module imudp failed [try http://www.rsyslog.com/e/-3 ]
> 2012-01-31T15:45:52.997643+02:00 <hostname> rsyslogd-2077: Could not
> create tcp listener, ignoring port 514. [try http://www.rsyslog.com/e/2077
]
>
> So permissions to bind and sockets seems to be the problem...
>
> 1. Is it possible to make rsyslog write logfiles as a non-root user - if
> yes: how ?
> 2a. Is it possible to add permissions for non-root user to run rsyslog
server - if
> yes: how ?
> 2b. How do I start rsyslog during boot as non-root user - can chkconfig do
this
> ? do I need to edit /etc/init.d/rsyslog - if yes: how ?
>
>
> Thanks in advance :-) !
> ~maymann
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

michael at maymann

Jan 31, 2012, 7:03 AM

Post #3 of 37 (435 views)
Permalink

Re: rsyslog as non-root user [In reply to]

Hi,

Rainer: thanks for this...:-) !

Now I have added the following to rsyslog.conf:
$PrivDropToGroup <GROUP>
$PrivDropToUser <USER>

When starting rsyslog, it hangs for a long time and fails - but processes
are started fine and everyting is otherwise working fine:
# service rsyslog start
Starting system logger: [FAILED]

Running proccesses during hang...:
root 26710 20551 0 16:48 pts/0 00:00:00 /bin/sh /sbin/service
rsyslog start
root 26715 26710 0 16:48 pts/0 00:00:00 /bin/bash
/etc/init.d/rsyslog start
root 26718 26715 0 16:48 pts/0 00:00:00 /bin/bash -c ulimit -S -c 0
>/dev/null 2>&1 ; /usr/sbin/rsyslogd -c 6
root 26719 26718 0 16:48 pts/0 00:00:00 /usr/sbin/rsyslogd -c 6
<USER> 26724 26719 0 16:48 ? 00:00:00 /usr/sbin/rsyslogd -c 6

Running proccesses after "failed" statement:
<USER> 26724 1 0 16:48 ? 00:00:00 /usr/sbin/rsyslogd -c 6

Stopping rsyslog causes no problem though...
# service rsyslog stop
Shutting down system logger: [ OK ]

It doesn't state anything wrong in the logs:
2012-01-31T16:48:55.612782+02:00 HOSTNAME rsyslogd: [origin
software="rsyslogd" swVersion="6.3.6" x-pid="26724" x-info="
http://www.rsyslog.com"] start
2012-01-31T16:48:55.612664+02:00 HOSTNAME rsyslogd: rsyslogd's groupid
changed to <ID>
2012-01-31T16:48:55.612709+02:00 HOSTNAME rsyslogd: rsyslogd's userid
changed to <ID>

Rainer: It is working now, but FYI: I will send you the debug information
directly...

Thanks for your help :-) !

Br.
~maymann

2012/1/31 Rainer Gerhards <rgerhards [at] hq>

> The right approach is to use the permission drop features of rsyslog to
> make
> it itself run as non-root. I v6, it will run as root only to open critical
> things (like the UDP ports) and then drops privileges (in a way that never
> can be undone without a full restart).
>
> HTH
> Rainer
>
> > -----Original Message-----
> > From: rsyslog-bounces [at] lists [mailto:rsyslog-
> > bounces [at] lists] On Behalf Of Michael Maymann
> > Sent: Tuesday, January 31, 2012 3:02 PM
> > To: rsyslog [at] lists
> > Subject: [rsyslog] rsyslog as non-root user
> >
> > Hi,
> >
> > I have now setup a 6.3.6-devel rsyslog server that is working fine
> running
> as
> > root.
> > I would like to run it as non-root user as my logfiles are located on NFS
> (and
> > root export of NFS is generally not a good idea !).
> >
> > Here is my rsyslog.conf:
> > #LOAD MODULES
> > $ModLoad imudp
> > $UDPServerRun 514
> > $UDPServerAddress 127.0.0.1
> > $ModLoad imtcp
> > $InputTCPServerRun 514
> > #SET DESTINATION FOR LOGS
> > $template
> > DYNmessages,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$
> > MONTH%_messages"
> > $template
> > DYNsecure,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MO
> > NTH%_secure"
> > $template
> > DYNmaillog,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MO
> > NTH%_maillog"
> > $template
> > DYNcron,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONT
> > H%_cron"
> > $template
> > DYNspooler,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MO
> > NTH%_spooler"
> > $template
> > DYNboot,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONT
> > H%_boot.log"
> > $template
> > DYNtraps,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONT
> > H%_traps"
> > #SET LOGGING CONDITIONS
> > if $syslogseverity <= '6' then ?DYNmessages if $syslogfacility-text ==
> > 'authpriv' then ?DYNsecure if $syslogfacility-text == 'mail' then
> ?DYNmaillog if
> > $syslogfacility-text == 'cron' then ?DYNcron if $syslogseverity-text ==
> 'crit'
> > then ?DYNspooler if $syslogfacility-text == 'local7' then ?DYNboot if
> > $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
> > then ?DYNtraps
> >
> > Here is my logfile when I try to start rsyslog as a non-root user:
> > 2012-01-31T15:45:52.997693+02:00 <hostname> rsyslogd: [origin
> > software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-info="
> > http://www.rsyslog.com"] start
> > 2012-01-31T15:45:52.997294+02:00 <hostname> rsyslogd: bind: Permission
> > denied
> > 2012-01-31T15:45:52.997369+02:00 <hostname> rsyslogd: bind: Permission
> > denied
> > 2012-01-31T15:45:52.997374+02:00 <hostname> rsyslogd: No UDP listen
> > socket could successfully be initialized, message reception via UDP
> disabled.
> > 2012-01-31T15:45:52.997376+02:00 <hostname> rsyslogd: imudp: no listeners
> > could be started, input not activated.
> > 2012-01-31T15:45:52.997379+02:00 <hostname> rsyslogd3: activation of
> > module imudp failed [try http://www.rsyslog.com/e/-3 ]
> > 2012-01-31T15:45:52.997643+02:00 <hostname> rsyslogd-2077: Could not
> > create tcp listener, ignoring port 514. [try
> http://www.rsyslog.com/e/2077
> ]
> >
> > So permissions to bind and sockets seems to be the problem...
> >
> > 1. Is it possible to make rsyslog write logfiles as a non-root user - if
> > yes: how ?
> > 2a. Is it possible to add permissions for non-root user to run rsyslog
> server - if
> > yes: how ?
> > 2b. How do I start rsyslog during boot as non-root user - can chkconfig
> do
> this
> > ? do I need to edit /etc/init.d/rsyslog - if yes: how ?
> >
> >
> > Thanks in advance :-) !
> > ~maymann
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

rgerhards at hq

Jan 31, 2012, 7:05 AM

Post #4 of 37 (437 views)
Permalink

Re: rsyslog as non-root user [In reply to]

> -----Original Message-----
> From: rsyslog-bounces [at] lists [mailto:rsyslog-
> bounces [at] lists] On Behalf Of Michael Maymann
> Sent: Tuesday, January 31, 2012 4:04 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] rsyslog as non-root user
>
> Hi,
>
> Rainer: thanks for this...:-) !
>
> Now I have added the following to rsyslog.conf:
> $PrivDropToGroup <GROUP>
> $PrivDropToUser <USER>
>
> When starting rsyslog, it hangs for a long time and fails - but processes
are
> started fine and everyting is otherwise working fine:
> # service rsyslog start
> Starting system logger: [FAILED]
>
> Running proccesses during hang...:
> root 26710 20551 0 16:48 pts/0 00:00:00 /bin/sh /sbin/service
> rsyslog start
> root 26715 26710 0 16:48 pts/0 00:00:00 /bin/bash
> /etc/init.d/rsyslog start
> root 26718 26715 0 16:48 pts/0 00:00:00 /bin/bash -c ulimit -S -c 0
> >/dev/null 2>&1 ; /usr/sbin/rsyslogd -c 6
> root 26719 26718 0 16:48 pts/0 00:00:00 /usr/sbin/rsyslogd -c 6
> <USER> 26724 26719 0 16:48 ? 00:00:00 /usr/sbin/rsyslogd -c 6
>
> Running proccesses after "failed" statement:
> <USER> 26724 1 0 16:48 ? 00:00:00 /usr/sbin/rsyslogd -c 6
>
> Stopping rsyslog causes no problem though...
> # service rsyslog stop
> Shutting down system logger: [ OK ]
>
> It doesn't state anything wrong in the logs:
> 2012-01-31T16:48:55.612782+02:00 HOSTNAME rsyslogd: [origin
> software="rsyslogd" swVersion="6.3.6" x-pid="26724" x-info="
> http://www.rsyslog.com"] start
> 2012-01-31T16:48:55.612664+02:00 HOSTNAME rsyslogd: rsyslogd's groupid
> changed to <ID>
> 2012-01-31T16:48:55.612709+02:00 HOSTNAME rsyslogd: rsyslogd's userid
> changed to <ID>
>
> Rainer: It is working now, but FYI: I will send you the debug information
> directly...

Yeah, that would be great. Be sure to include a full debug log.

Rainer
>
> Thanks for your help :-) !
>
>
> Br.
> ~maymann
>
>
> 2012/1/31 Rainer Gerhards <rgerhards [at] hq>
>
> > The right approach is to use the permission drop features of rsyslog
> > to make it itself run as non-root. I v6, it will run as root only to
> > open critical things (like the UDP ports) and then drops privileges
> > (in a way that never can be undone without a full restart).
> >
> > HTH
> > Rainer
> >
> > > -----Original Message-----
> > > From: rsyslog-bounces [at] lists [mailto:rsyslog-
> > > bounces [at] lists] On Behalf Of Michael Maymann
> > > Sent: Tuesday, January 31, 2012 3:02 PM
> > > To: rsyslog [at] lists
> > > Subject: [rsyslog] rsyslog as non-root user
> > >
> > > Hi,
> > >
> > > I have now setup a 6.3.6-devel rsyslog server that is working fine
> > running
> > as
> > > root.
> > > I would like to run it as non-root user as my logfiles are located
> > > on NFS
> > (and
> > > root export of NFS is generally not a good idea !).
> > >
> > > Here is my rsyslog.conf:
> > > #LOAD MODULES
> > > $ModLoad imudp
> > > $UDPServerRun 514
> > > $UDPServerAddress 127.0.0.1
> > > $ModLoad imtcp
> > > $InputTCPServerRun 514
> > > #SET DESTINATION FOR LOGS
> > > $template
> > >
> DYNmessages,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$
> > > MONTH%_messages"
> > > $template
> > >
> DYNsecure,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MO
> > > NTH%_secure"
> > > $template
> > >
> DYNmaillog,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MO
> > > NTH%_maillog"
> > > $template
> > >
> DYNcron,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONT
> > > H%_cron"
> > > $template
> > >
> DYNspooler,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MO
> > > NTH%_spooler"
> > > $template
> > >
> DYNboot,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONT
> > > H%_boot.log"
> > > $template
> > >
> DYNtraps,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONT
> > > H%_traps"
> > > #SET LOGGING CONDITIONS
> > > if $syslogseverity <= '6' then ?DYNmessages if $syslogfacility-text
> > > == 'authpriv' then ?DYNsecure if $syslogfacility-text == 'mail' then
> > ?DYNmaillog if
> > > $syslogfacility-text == 'cron' then ?DYNcron if $syslogseverity-text
> > > ==
> > 'crit'
> > > then ?DYNspooler if $syslogfacility-text == 'local7' then ?DYNboot
> > > if $syslogfacility-text == 'local6' and $syslogseverity-text ==
'WARNING'
> > > then ?DYNtraps
> > >
> > > Here is my logfile when I try to start rsyslog as a non-root user:
> > > 2012-01-31T15:45:52.997693+02:00 <hostname> rsyslogd: [.origin
> > > software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-info="
> > > http://www.rsyslog.com"] start
> > > 2012-01-31T15:45:52.997294+02:00 <hostname> rsyslogd: bind:
> > > Permission denied
> > > 2012-01-31T15:45:52.997369+02:00 <hostname> rsyslogd: bind:
> > > Permission denied
> > > 2012-01-31T15:45:52.997374+02:00 <hostname> rsyslogd: No UDP listen
> > > socket could successfully be initialized, message reception via UDP
> > disabled.
> > > 2012-01-31T15:45:52.997376+02:00 <hostname> rsyslogd: imudp: no
> > > listeners could be started, input not activated.
> > > 2012-01-31T15:45:52.997379+02:00 <hostname> rsyslogd3: activation of
> > > module imudp failed [try http://www.rsyslog.com/e/-3 ]
> > > 2012-01-31T15:45:52.997643+02:00 <hostname> rsyslogd-2077: Could not
> > > create tcp listener, ignoring port 514. [try
> > http://www.rsyslog.com/e/2077
> > ]
> > >
> > > So permissions to bind and sockets seems to be the problem...
> > >
> > > 1. Is it possible to make rsyslog write logfiles as a non-root user
> > > - if
> > > yes: how ?
> > > 2a. Is it possible to add permissions for non-root user to run
> > > rsyslog
> > server - if
> > > yes: how ?
> > > 2b. How do I start rsyslog during boot as non-root user - can
> > > chkconfig
> > do
> > this
> > > ? do I need to edit /etc/init.d/rsyslog - if yes: how ?
> > >
> > >
> > > Thanks in advance :-) !
> > > ~maymann
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com/professional-services/
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

david at lang

Jan 31, 2012, 3:57 PM

Post #5 of 37 (436 views)
Permalink

Re: rsyslog as non-root user [In reply to]

On Tue, 31 Jan 2012, Michael Maymann wrote:

> Hi,
>
> I have now setup a 6.3.6-devel rsyslog server that is working fine running
> as root.
> I would like to run it as non-root user as my logfiles are located on NFS
> (and root export of NFS is generally not a good idea !).
>
> Here is my rsyslog.conf:
> #LOAD MODULES
> $ModLoad imudp
> $UDPServerRun 514
> $UDPServerAddress 127.0.0.1
> $ModLoad imtcp
> $InputTCPServerRun 514
> #SET DESTINATION FOR LOGS
> $template
> DYNmessages,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages"
> $template
> DYNsecure,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure"
> $template
> DYNmaillog,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog"
> $template DYNcron,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron"
> $template
> DYNspooler,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler"
> $template
> DYNboot,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log"
> $template DYNtraps,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps"
> #SET LOGGING CONDITIONS
> if $syslogseverity <= '6' then ?DYNmessages
> if $syslogfacility-text == 'authpriv' then ?DYNsecure
> if $syslogfacility-text == 'mail' then ?DYNmaillog
> if $syslogfacility-text == 'cron' then ?DYNcron
> if $syslogseverity-text == 'crit' then ?DYNspooler
> if $syslogfacility-text == 'local7' then ?DYNboot
> if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
> then ?DYNtraps
>
> Here is my logfile when I try to start rsyslog as a non-root user:
> 2012-01-31T15:45:52.997693+02:00 <hostname> rsyslogd: [origin
> software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-info="
> http://www.rsyslog.com"] start
> 2012-01-31T15:45:52.997294+02:00 <hostname> rsyslogd: bind: Permission
> denied
> 2012-01-31T15:45:52.997369+02:00 <hostname> rsyslogd: bind: Permission
> denied
> 2012-01-31T15:45:52.997374+02:00 <hostname> rsyslogd: No UDP listen socket
> could successfully be initialized, message reception via UDP disabled.
> 2012-01-31T15:45:52.997376+02:00 <hostname> rsyslogd: imudp: no listeners
> could be started, input not activated.
> 2012-01-31T15:45:52.997379+02:00 <hostname> rsyslogd3: activation of module
> imudp failed [try http://www.rsyslog.com/e/-3 ]
> 2012-01-31T15:45:52.997643+02:00 <hostname> rsyslogd-2077: Could not create
> tcp listener, ignoring port 514. [try http://www.rsyslog.com/e/2077 ]
>
> So permissions to bind and sockets seems to be the problem...

yes, you cannot bind to ports <1024 as a normal user (without making some
other non-standard changes through sysctl)

> 1. Is it possible to make rsyslog write logfiles as a non-root user - if
> yes: how ?

permission drop features

> 2a. Is it possible to add permissions for non-root user to run rsyslog
> server - if yes: how ?

pick a listening port > 1024 and it should work.

> 2b. How do I start rsyslog during boot as non-root user - can chkconfig do
> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ?

su can run a command as a different user.

although as Rainer points out, you may just be looking for the permission
dropping features that are already in rsyslog.

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

michael at maymann

Feb 1, 2012, 12:08 AM

Post #6 of 37 (435 views)
Permalink

Re: rsyslog as non-root user [In reply to]

Hi,

David: thanks - got it working with permission dropping, by far my prefered
configuration... just didn't know of it...:-) !
Rainer: please let us know if the debug info of the "permission dropping:
hang+timeout" I send you can solve anything... anyway it works now - but
not optimal if other people have to service my setup...:-) !

Thanks in advance :-) !
~maymann

2012/2/1 <david [at] lang>

> On Tue, 31 Jan 2012, Michael Maymann wrote:
>
> Hi,
>>
>> I have now setup a 6.3.6-devel rsyslog server that is working fine running
>> as root.
>> I would like to run it as non-root user as my logfiles are located on NFS
>> (and root export of NFS is generally not a good idea !).
>>
>> Here is my rsyslog.conf:
>> #LOAD MODULES
>> $ModLoad imudp
>> $UDPServerRun 514
>> $UDPServerAddress 127.0.0.1
>> $ModLoad imtcp
>> $InputTCPServerRun 514
>> #SET DESTINATION FOR LOGS
>> $template
>> DYNmessages,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
>> $MONTH%_messages"
>> $template
>> DYNsecure,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_secure"
>> $template
>> DYNmaillog,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_maillog"
>> $template DYNcron,"<PATH_TO>/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_**
>> cron"
>> $template
>> DYNspooler,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_spooler"
>> $template
>> DYNboot,"<PATH_TO>/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_**boot.log"
>> $template DYNtraps,"<PATH_TO>/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MONTH%_**
>> traps"
>> #SET LOGGING CONDITIONS
>> if $syslogseverity <= '6' then ?DYNmessages
>> if $syslogfacility-text == 'authpriv' then ?DYNsecure
>> if $syslogfacility-text == 'mail' then ?DYNmaillog
>> if $syslogfacility-text == 'cron' then ?DYNcron
>> if $syslogseverity-text == 'crit' then ?DYNspooler
>> if $syslogfacility-text == 'local7' then ?DYNboot
>> if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
>> then ?DYNtraps
>>
>> Here is my logfile when I try to start rsyslog as a non-root user:
>> 2012-01-31T15:45:52.997693+02:**00 <hostname> rsyslogd: [origin
>> software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-info="
>> http://www.rsyslog.com"] start
>> 2012-01-31T15:45:52.997294+02:**00 <hostname> rsyslogd: bind: Permission
>> denied
>> 2012-01-31T15:45:52.997369+02:**00 <hostname> rsyslogd: bind: Permission
>> denied
>> 2012-01-31T15:45:52.997374+02:**00 <hostname> rsyslogd: No UDP listen
>> socket
>> could successfully be initialized, message reception via UDP disabled.
>> 2012-01-31T15:45:52.997376+02:**00 <hostname> rsyslogd: imudp: no
>> listeners
>> could be started, input not activated.
>> 2012-01-31T15:45:52.997379+02:**00 <hostname> rsyslogd3: activation of
>> module
>> imudp failed [try http://www.rsyslog.com/e/-3 ]
>> 2012-01-31T15:45:52.997643+02:**00 <hostname> rsyslogd-2077: Could not
>> create
>> tcp listener, ignoring port 514. [try http://www.rsyslog.com/e/2077 ]
>>
>> So permissions to bind and sockets seems to be the problem...
>>
>
> yes, you cannot bind to ports <1024 as a normal user (without making some
> other non-standard changes through sysctl)
>
>
> 1. Is it possible to make rsyslog write logfiles as a non-root user - if
>> yes: how ?
>>
>
> permission drop features
>
>
> 2a. Is it possible to add permissions for non-root user to run rsyslog
>> server - if yes: how ?
>>
>
> pick a listening port > 1024 and it should work.
>
>
> 2b. How do I start rsyslog during boot as non-root user - can chkconfig do
>> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ?
>>
>
> su can run a command as a different user.
>
> although as Rainer points out, you may just be looking for the permission
> dropping features that are already in rsyslog.
>
> David Lang
>
> ______________________________**_________________
> rsyslog mailing list
> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

rgerhards at hq

Feb 1, 2012, 11:03 PM

Post #7 of 37 (427 views)
Permalink

Re: rsyslog as non-root user [In reply to]

> -----Original Message-----
> From: rsyslog-bounces [at] lists [mailto:rsyslog-
> bounces [at] lists] On Behalf Of Michael Maymann
> Sent: Wednesday, February 01, 2012 9:08 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] rsyslog as non-root user
>
> Hi,
>
> David: thanks - got it working with permission dropping, by far my
> prefered
> configuration... just didn't know of it...:-) !
> Rainer: please let us know if the debug info of the "permission
> dropping:
> hang+timeout" I send you can solve anything... anyway it works now -
> but
> not optimal if other people have to service my setup...:-) !

I have reviewed the debug log and I see nothing unexpected. From the
timestamps I also see that there is no hang whatsoever. So it looks like
there is some problem with the startup script, which I don't know. I suggest
to ask what the FAILED status is caused by. We can then look why this
happens.

Sorry I have no better answer...
Rainer

>
> Thanks in advance :-) !
> ~maymann
>
> 2012/2/1 <david [at] lang>
>
> > On Tue, 31 Jan 2012, Michael Maymann wrote:
> >
> > Hi,
> >>
> >> I have now setup a 6.3.6-devel rsyslog server that is working fine
> running
> >> as root.
> >> I would like to run it as non-root user as my logfiles are located
> on NFS
> >> (and root export of NFS is generally not a good idea !).
> >>
> >> Here is my rsyslog.conf:
> >> #LOAD MODULES
> >> $ModLoad imudp
> >> $UDPServerRun 514
> >> $UDPServerAddress 127.0.0.1
> >> $ModLoad imtcp
> >> $InputTCPServerRun 514
> >> #SET DESTINATION FOR LOGS
> >> $template
> >> DYNmessages,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
> >> $MONTH%_messages"
> >> $template
> >>
> DYNsecure,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_secure"
> >> $template
> >>
> DYNmaillog,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_maillo
> g"
> >> $template
> DYNcron,"<PATH_TO>/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_**
> >> cron"
> >> $template
> >>
> DYNspooler,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_spoole
> r"
> >> $template
> >>
> DYNboot,"<PATH_TO>/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_**boot.log"
> >> $template
> DYNtraps,"<PATH_TO>/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MONTH%_**
> >> traps"
> >> #SET LOGGING CONDITIONS
> >> if $syslogseverity <= '6' then ?DYNmessages
> >> if $syslogfacility-text == 'authpriv' then ?DYNsecure
> >> if $syslogfacility-text == 'mail' then ?DYNmaillog
> >> if $syslogfacility-text == 'cron' then ?DYNcron
> >> if $syslogseverity-text == 'crit' then ?DYNspooler
> >> if $syslogfacility-text == 'local7' then ?DYNboot
> >> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
> 'WARNING'
> >> then ?DYNtraps
> >>
> >> Here is my logfile when I try to start rsyslog as a non-root user:
> >> 2012-01-31T15:45:52.997693+02:**00 <hostname> rsyslogd: [origin
> >> software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-info="
> >> http://www.rsyslog.com"] start
> >> 2012-01-31T15:45:52.997294+02:**00 <hostname> rsyslogd: bind:
> Permission
> >> denied
> >> 2012-01-31T15:45:52.997369+02:**00 <hostname> rsyslogd: bind:
> Permission
> >> denied
> >> 2012-01-31T15:45:52.997374+02:**00 <hostname> rsyslogd: No UDP
> listen
> >> socket
> >> could successfully be initialized, message reception via UDP
> disabled.
> >> 2012-01-31T15:45:52.997376+02:**00 <hostname> rsyslogd: imudp: no
> >> listeners
> >> could be started, input not activated.
> >> 2012-01-31T15:45:52.997379+02:**00 <hostname> rsyslogd3: activation
> of
> >> module
> >> imudp failed [try http://www.rsyslog.com/e/-3 ]
> >> 2012-01-31T15:45:52.997643+02:**00 <hostname> rsyslogd-2077: Could
> not
> >> create
> >> tcp listener, ignoring port 514. [try http://www.rsyslog.com/e/2077
> ]
> >>
> >> So permissions to bind and sockets seems to be the problem...
> >>
> >
> > yes, you cannot bind to ports <1024 as a normal user (without making
> some
> > other non-standard changes through sysctl)
> >
> >
> > 1. Is it possible to make rsyslog write logfiles as a non-root user
> - if
> >> yes: how ?
> >>
> >
> > permission drop features
> >
> >
> > 2a. Is it possible to add permissions for non-root user to run
> rsyslog
> >> server - if yes: how ?
> >>
> >
> > pick a listening port > 1024 and it should work.
> >
> >
> > 2b. How do I start rsyslog during boot as non-root user - can
> chkconfig do
> >> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ?
> >>
> >
> > su can run a command as a different user.
> >
> > although as Rainer points out, you may just be looking for the
> permission
> > dropping features that are already in rsyslog.
> >
> > David Lang
> >
> > ______________________________**_________________
> > rsyslog mailing list
> >
> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
> n.net/mailman/listinfo/rsyslog>
> > http://www.rsyslog.com/**professional-
> services/<http://www.rsyslog.com/professional-services/>
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

michael at maymann

Feb 2, 2012, 1:03 AM

Post #8 of 37 (428 views)
Permalink

Re: rsyslog as non-root user [In reply to]

Here is my startup script... only thing changed is the path to the new
6.3.6-rsyslog-devel binary.
The startup-scripts works also perfectly when i comment out the
PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but failes if i have
both or one of the entries...:
#!/bin/bash
#
# rsyslog Starts rsyslogd/rklogd.
#
#
# chkconfig: 2345 12 88
# description: Syslog is the facility by which many daemons use to log \
# messages to various system log files. It is a good idea to always \
# run rsyslog.
### BEGIN INIT INFO
# Provides: $syslog
# Required-Start: $local_fs
# Required-Stop: $local_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Enhanced system logging and kernel message trapping
daemons
# Description: Rsyslog is an enhanced multi-threaded syslogd supporting,
# among others, MySQL, syslog/tcp, RFC 3195, permitted
# sender lists, filtering on any message part, and fine
# grain output format control.
### END INIT INFO

# Source function library.
. /etc/init.d/functions

RETVAL=0
PIDFILE=/var/run/syslogd.pid

prog=rsyslogd
#exec=/sbin/rsyslogd
exec=/usr/sbin/rsyslogd
lockfile=/var/lock/subsys/$prog

start() {
[ -x $exec ] || exit 5

# Source config
if [ -f /etc/sysconfig/rsyslog ] ; then
. /etc/sysconfig/rsyslog
fi
umask 077

echo -n $"Starting system logger: "
daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch $lockfile
return $RETVAL
}
stop() {
echo -n $"Shutting down system logger: "
killproc $prog
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f $lockfile
return $RETVAL
}
reload() {
RETVAL=1
syslog=$(cat "${PIDFILE}" 2>/dev/null)
echo -n "Reloading system logger..."
if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then
kill -HUP "$syslog";
RETVAL=$?
fi
if [ $RETVAL -ne 0 ]; then
failure
else
success
fi
echo
return $RETVAL
}
rhstatus() {
status -p "${PIDFILE}" $prog
}
restart() {
stop
start
}

case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
reload|force-reload)
reload
;;
status)
rhstatus
;;
condrestart|try-restart)
rhstatus >/dev/null 2>&1 || exit 0
restart
;;
*)
echo $"Usage: $0
{start|stop|restart|condrestart|try-restart|reload|force-reload|status}"
exit 2
esac

exit $?

2012/2/2 Rainer Gerhards <rgerhards [at] hq>

>
>
> > -----Original Message-----
> > From: rsyslog-bounces [at] lists [mailto:rsyslog-
> > bounces [at] lists] On Behalf Of Michael Maymann
> > Sent: Wednesday, February 01, 2012 9:08 AM
> > To: rsyslog-users
> > Subject: Re: [rsyslog] rsyslog as non-root user
> >
> > Hi,
> >
> > David: thanks - got it working with permission dropping, by far my
> > prefered
> > configuration... just didn't know of it...:-) !
> > Rainer: please let us know if the debug info of the "permission
> > dropping:
> > hang+timeout" I send you can solve anything... anyway it works now -
> > but
> > not optimal if other people have to service my setup...:-) !
>
> I have reviewed the debug log and I see nothing unexpected. From the
> timestamps I also see that there is no hang whatsoever. So it looks like
> there is some problem with the startup script, which I don't know. I
> suggest
> to ask what the FAILED status is caused by. We can then look why this
> happens.
>
> Sorry I have no better answer...
> Rainer
>
> >
> > Thanks in advance :-) !
> > ~maymann
> >
> > 2012/2/1 <david [at] lang>
> >
> > > On Tue, 31 Jan 2012, Michael Maymann wrote:
> > >
> > > Hi,
> > >>
> > >> I have now setup a 6.3.6-devel rsyslog server that is working fine
> > running
> > >> as root.
> > >> I would like to run it as non-root user as my logfiles are located
> > on NFS
> > >> (and root export of NFS is generally not a good idea !).
> > >>
> > >> Here is my rsyslog.conf:
> > >> #LOAD MODULES
> > >> $ModLoad imudp
> > >> $UDPServerRun 514
> > >> $UDPServerAddress 127.0.0.1
> > >> $ModLoad imtcp
> > >> $InputTCPServerRun 514
> > >> #SET DESTINATION FOR LOGS
> > >> $template
> > >> DYNmessages,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
> > >> $MONTH%_messages"
> > >> $template
> > >>
> > DYNsecure,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_secure"
> > >> $template
> > >>
> > DYNmaillog,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_maillo
> > g"
> > >> $template
> > DYNcron,"<PATH_TO>/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_**
> > >> cron"
> > >> $template
> > >>
> > DYNspooler,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_spoole
> > r"
> > >> $template
> > >>
> > DYNboot,"<PATH_TO>/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_**boot.log"
> > >> $template
> > DYNtraps,"<PATH_TO>/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MONTH%_**
> > >> traps"
> > >> #SET LOGGING CONDITIONS
> > >> if $syslogseverity <= '6' then ?DYNmessages
> > >> if $syslogfacility-text == 'authpriv' then ?DYNsecure
> > >> if $syslogfacility-text == 'mail' then ?DYNmaillog
> > >> if $syslogfacility-text == 'cron' then ?DYNcron
> > >> if $syslogseverity-text == 'crit' then ?DYNspooler
> > >> if $syslogfacility-text == 'local7' then ?DYNboot
> > >> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
> > 'WARNING'
> > >> then ?DYNtraps
> > >>
> > >> Here is my logfile when I try to start rsyslog as a non-root user:
> > >> 2012-01-31T15:45:52.997693+02:**00 <hostname> rsyslogd: [.origin
> > >> software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-info="
> > >> http://www.rsyslog.com"] start
> > >> 2012-01-31T15:45:52.997294+02:**00 <hostname> rsyslogd: bind:
> > Permission
> > >> denied
> > >> 2012-01-31T15:45:52.997369+02:**00 <hostname> rsyslogd: bind:
> > Permission
> > >> denied
> > >> 2012-01-31T15:45:52.997374+02:**00 <hostname> rsyslogd: No UDP
> > listen
> > >> socket
> > >> could successfully be initialized, message reception via UDP
> > disabled.
> > >> 2012-01-31T15:45:52.997376+02:**00 <hostname> rsyslogd: imudp: no
> > >> listeners
> > >> could be started, input not activated.
> > >> 2012-01-31T15:45:52.997379+02:**00 <hostname> rsyslogd3: activation
> > of
> > >> module
> > >> imudp failed [try http://www.rsyslog.com/e/-3 ]
> > >> 2012-01-31T15:45:52.997643+02:**00 <hostname> rsyslogd-2077: Could
> > not
> > >> create
> > >> tcp listener, ignoring port 514. [try http://www.rsyslog.com/e/2077
> > ]
> > >>
> > >> So permissions to bind and sockets seems to be the problem...
> > >>
> > >
> > > yes, you cannot bind to ports <1024 as a normal user (without making
> > some
> > > other non-standard changes through sysctl)
> > >
> > >
> > > 1. Is it possible to make rsyslog write logfiles as a non-root user
> > - if
> > >> yes: how ?
> > >>
> > >
> > > permission drop features
> > >
> > >
> > > 2a. Is it possible to add permissions for non-root user to run
> > rsyslog
> > >> server - if yes: how ?
> > >>
> > >
> > > pick a listening port > 1024 and it should work.
> > >
> > >
> > > 2b. How do I start rsyslog during boot as non-root user - can
> > chkconfig do
> > >> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ?
> > >>
> > >
> > > su can run a command as a different user.
> > >
> > > although as Rainer points out, you may just be looking for the
> > permission
> > > dropping features that are already in rsyslog.
> > >
> > > David Lang
> > >
> > > ______________________________**_________________
> > > rsyslog mailing list
> > >
> > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
> > n.net/mailman/listinfo/rsyslog>
> > > http://www.rsyslog.com/**professional-
> > services/<http://www.rsyslog.com/professional-services/>
> > >
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

rgerhards at hq

Feb 2, 2012, 1:06 AM

Post #9 of 37 (428 views)
Permalink

Re: rsyslog as non-root user [In reply to]

I can only help you with that part if you point me to why exactly the script
claims what it does. So you may want to try find someone who can do that. I
know this is probably a trivial question, but I don't know anything ;)

Sry, rainer

> -----Original Message-----
> From: rsyslog-bounces [at] lists [mailto:rsyslog-
> bounces [at] lists] On Behalf Of Michael Maymann
> Sent: Thursday, February 02, 2012 10:03 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] rsyslog as non-root user
>
> Here is my startup script... only thing changed is the path to the new
> 6.3.6-rsyslog-devel binary.
> The startup-scripts works also perfectly when i comment out the
> PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but failes if i
> have
> both or one of the entries...:
> #!/bin/bash
> #
> # rsyslog Starts rsyslogd/rklogd.
> #
> #
> # chkconfig: 2345 12 88
> # description: Syslog is the facility by which many daemons use to log
> \
> # messages to various system log files. It is a good idea to always \
> # run rsyslog.
> ### BEGIN INIT INFO
> # Provides: $syslog
> # Required-Start: $local_fs
> # Required-Stop: $local_fs
> # Default-Start: 2 3 4 5
> # Default-Stop: 0 1 6
> # Short-Description: Enhanced system logging and kernel message
> trapping
> daemons
> # Description: Rsyslog is an enhanced multi-threaded syslogd
> supporting,
> # among others, MySQL, syslog/tcp, RFC 3195, permitted
> # sender lists, filtering on any message part, and fine
> # grain output format control.
> ### END INIT INFO
>
> # Source function library.
> . /etc/init.d/functions
>
> RETVAL=0
> PIDFILE=/var/run/syslogd.pid
>
> prog=rsyslogd
> #exec=/sbin/rsyslogd
> exec=/usr/sbin/rsyslogd
> lockfile=/var/lock/subsys/$prog
>
> start() {
> [ -x $exec ] || exit 5
>
> # Source config
> if [ -f /etc/sysconfig/rsyslog ] ; then
> . /etc/sysconfig/rsyslog
> fi
> umask 077
>
> echo -n $"Starting system logger: "
> daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS
> RETVAL=$?
> echo
> [ $RETVAL -eq 0 ] && touch $lockfile
> return $RETVAL
> }
> stop() {
> echo -n $"Shutting down system logger: "
> killproc $prog
> RETVAL=$?
> echo
> [ $RETVAL -eq 0 ] && rm -f $lockfile
> return $RETVAL
> }
> reload() {
> RETVAL=1
> syslog=$(cat "${PIDFILE}" 2>/dev/null)
> echo -n "Reloading system logger..."
> if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then
> kill -HUP "$syslog";
> RETVAL=$?
> fi
> if [ $RETVAL -ne 0 ]; then
> failure
> else
> success
> fi
> echo
> return $RETVAL
> }
> rhstatus() {
> status -p "${PIDFILE}" $prog
> }
> restart() {
> stop
> start
> }
>
> case "$1" in
> start)
> start
> ;;
> stop)
> stop
> ;;
> restart)
> restart
> ;;
> reload|force-reload)
> reload
> ;;
> status)
> rhstatus
> ;;
> condrestart|try-restart)
> rhstatus >/dev/null 2>&1 || exit 0
> restart
> ;;
> *)
> echo $"Usage: $0
> {start|stop|restart|condrestart|try-restart|reload|force-
> reload|status}"
> exit 2
> esac
>
> exit $?
>
> 2012/2/2 Rainer Gerhards <rgerhards [at] hq>
>
> >
> >
> > > -----Original Message-----
> > > From: rsyslog-bounces [at] lists [mailto:rsyslog-
> > > bounces [at] lists] On Behalf Of Michael Maymann
> > > Sent: Wednesday, February 01, 2012 9:08 AM
> > > To: rsyslog-users
> > > Subject: Re: [rsyslog] rsyslog as non-root user
> > >
> > > Hi,
> > >
> > > David: thanks - got it working with permission dropping, by far my
> > > prefered
> > > configuration... just didn't know of it...:-) !
> > > Rainer: please let us know if the debug info of the "permission
> > > dropping:
> > > hang+timeout" I send you can solve anything... anyway it works now
> -
> > > but
> > > not optimal if other people have to service my setup...:-) !
> >
> > I have reviewed the debug log and I see nothing unexpected. From the
> > timestamps I also see that there is no hang whatsoever. So it looks
> like
> > there is some problem with the startup script, which I don't know. I
> > suggest
> > to ask what the FAILED status is caused by. We can then look why this
> > happens.
> >
> > Sorry I have no better answer...
> > Rainer
> >
> > >
> > > Thanks in advance :-) !
> > > ~maymann
> > >
> > > 2012/2/1 <david [at] lang>
> > >
> > > > On Tue, 31 Jan 2012, Michael Maymann wrote:
> > > >
> > > > Hi,
> > > >>
> > > >> I have now setup a 6.3.6-devel rsyslog server that is working
> fine
> > > running
> > > >> as root.
> > > >> I would like to run it as non-root user as my logfiles are
> located
> > > on NFS
> > > >> (and root export of NFS is generally not a good idea !).
> > > >>
> > > >> Here is my rsyslog.conf:
> > > >> #LOAD MODULES
> > > >> $ModLoad imudp
> > > >> $UDPServerRun 514
> > > >> $UDPServerAddress 127.0.0.1
> > > >> $ModLoad imtcp
> > > >> $InputTCPServerRun 514
> > > >> #SET DESTINATION FOR LOGS
> > > >> $template
> > > >> DYNmessages,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
> > > >> $MONTH%_messages"
> > > >> $template
> > > >>
> > >
> DYNsecure,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_secure"
> > > >> $template
> > > >>
> > >
> DYNmaillog,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_maillo
> > > g"
> > > >> $template
> > > DYNcron,"<PATH_TO>/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_**
> > > >> cron"
> > > >> $template
> > > >>
> > >
> DYNspooler,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_spoole
> > > r"
> > > >> $template
> > > >>
> > >
> DYNboot,"<PATH_TO>/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_**boot.log"
> > > >> $template
> > > DYNtraps,"<PATH_TO>/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MONTH%_**
> > > >> traps"
> > > >> #SET LOGGING CONDITIONS
> > > >> if $syslogseverity <= '6' then ?DYNmessages
> > > >> if $syslogfacility-text == 'authpriv' then ?DYNsecure
> > > >> if $syslogfacility-text == 'mail' then ?DYNmaillog
> > > >> if $syslogfacility-text == 'cron' then ?DYNcron
> > > >> if $syslogseverity-text == 'crit' then ?DYNspooler
> > > >> if $syslogfacility-text == 'local7' then ?DYNboot
> > > >> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
> > > 'WARNING'
> > > >> then ?DYNtraps
> > > >>
> > > >> Here is my logfile when I try to start rsyslog as a non-root
> user:
> > > >> 2012-01-31T15:45:52.997693+02:**00 <hostname> rsyslogd: [.origin
> > > >> software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-info="
> > > >> http://www.rsyslog.com"] start
> > > >> 2012-01-31T15:45:52.997294+02:**00 <hostname> rsyslogd: bind:
> > > Permission
> > > >> denied
> > > >> 2012-01-31T15:45:52.997369+02:**00 <hostname> rsyslogd: bind:
> > > Permission
> > > >> denied
> > > >> 2012-01-31T15:45:52.997374+02:**00 <hostname> rsyslogd: No UDP
> > > listen
> > > >> socket
> > > >> could successfully be initialized, message reception via UDP
> > > disabled.
> > > >> 2012-01-31T15:45:52.997376+02:**00 <hostname> rsyslogd: imudp:
> no
> > > >> listeners
> > > >> could be started, input not activated.
> > > >> 2012-01-31T15:45:52.997379+02:**00 <hostname> rsyslogd3:
> activation
> > > of
> > > >> module
> > > >> imudp failed [try http://www.rsyslog.com/e/-3 ]
> > > >> 2012-01-31T15:45:52.997643+02:**00 <hostname> rsyslogd-2077:
> Could
> > > not
> > > >> create
> > > >> tcp listener, ignoring port 514. [try
> http://www.rsyslog.com/e/2077
> > > ]
> > > >>
> > > >> So permissions to bind and sockets seems to be the problem...
> > > >>
> > > >
> > > > yes, you cannot bind to ports <1024 as a normal user (without
> making
> > > some
> > > > other non-standard changes through sysctl)
> > > >
> > > >
> > > > 1. Is it possible to make rsyslog write logfiles as a non-root
> user
> > > - if
> > > >> yes: how ?
> > > >>
> > > >
> > > > permission drop features
> > > >
> > > >
> > > > 2a. Is it possible to add permissions for non-root user to run
> > > rsyslog
> > > >> server - if yes: how ?
> > > >>
> > > >
> > > > pick a listening port > 1024 and it should work.
> > > >
> > > >
> > > > 2b. How do I start rsyslog during boot as non-root user - can
> > > chkconfig do
> > > >> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ?
> > > >>
> > > >
> > > > su can run a command as a different user.
> > > >
> > > > although as Rainer points out, you may just be looking for the
> > > permission
> > > > dropping features that are already in rsyslog.
> > > >
> > > > David Lang
> > > >
> > > > ______________________________**_________________
> > > > rsyslog mailing list
> > > >
> > >
> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
> > > n.net/mailman/listinfo/rsyslog>
> > > > http://www.rsyslog.com/**professional-
> > > services/<http://www.rsyslog.com/professional-services/>
> > > >
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com/professional-services/
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

michael at maymann

Feb 2, 2012, 1:39 AM

Post #10 of 37 (442 views)
Permalink

Re: rsyslog as non-root user [In reply to]

Hi,

Rainer: Sorry... forgot to mention that it doesn't say anything about
failing in the logs... and it actually doesn't fail... it works and after
the timeout+failed notice only the proccess owned by PrivDropToUser-USER is
present, but now owned by the init-proccess (mother proccess dies):
# service rsyslog start
Starting system logger: [FAILED]

BEFORE failed status:
root 9126 9125 0 11:07 pts/1 00:00:00 /usr/sbin/rsyslogd -c 6
<PrivDropToUser-USER> 9131 9126 0 11:07 ? 00:00:00
/usr/sbin/rsyslogd -c 6

AFTER failed status root-owned proccess is killed and PrivDropToUser-USER
owned proccess is therefore gets owned by init:
<PrivDropToUser-USER> 9131 1 0 11:07 ? 00:00:00
/usr/sbin/rsyslogd -c 6

Anyone who can help with this...?:
here is the debug output when starting running the init-script:
#/etc/init.d/rsyslog start
+ . /etc/init.d/functions
++ TEXTDOMAIN=initscripts
++ umask 022
++ PATH=/sbin:/usr/sbin:/bin:/usr/bin
++ export PATH
++ '[' -z '' ']'
++ COLUMNS=80
++ '[' -z '' ']'
+++ /sbin/consoletype
++ CONSOLETYPE=pty
++ '[' -f /etc/sysconfig/i18n -a -z '' -a -z '' ']'
++ . /etc/profile.d/lang.sh
++ unset LANGSH_SOURCED
++ '[' -z '' ']'
++ '[' -f /etc/sysconfig/init ']'
++ . /etc/sysconfig/init
+++ BOOTUP=color
+++ RES_COL=60
+++ MOVE_TO_COL='echo -en \033[.60G'
+++ SETCOLOR_SUCCESS='echo -en \033[.0;32m'
+++ SETCOLOR_FAILURE='echo -en \033[.0;31m'
+++ SETCOLOR_WARNING='echo -en \033[.0;33m'
+++ SETCOLOR_NORMAL='echo -en \033[0;39m'
+++ PROMPT=yes
+++ AUTOSWAP=no
+++ ACTIVE_CONSOLES='/dev/tty[1-6]'
+++ SINGLE=/sbin/sushell
++ '[' pty = serial ']'
++
__sed_discard_ignored_files='/$~\|\.bak\|\.orig\|\.rpmnew\|\.rpmorig\|\.rpmsave$$/d'
+ RETVAL=0
+ PIDFILE=/var/run/syslogd.pid
+ prog=rsyslogd
+ exec=/usr/sbin/rsyslogd
+ lockfile=/var/lock/subsys/rsyslogd
+ case "$1" in
+ start
+ '[' -x /usr/sbin/rsyslogd ']'
+ '[' -f /etc/sysconfig/rsyslog ']'
+ . /etc/sysconfig/rsyslog
++ SYSLOGD_OPTIONS='-c 6'
+ umask 077
+ echo -n 'Starting system logger: '
Starting system logger: + daemon --pidfile=/var/run/syslogd.pid
/usr/sbin/rsyslogd -c 6
+ local gotbase= force= nicelevel corelimit
+ local pid base= user= nice= bg= pid_file=
+ local cgroup=
+ nicelevel=0
+ '[' --pidfile=/var/run/syslogd.pid '!=' -pidfile=/var/run/syslogd.pid ']'
+ case $1 in
+ pid_file=/var/run/syslogd.pid
+ shift
+ '[' /usr/sbin/rsyslogd '!=' /usr/sbin/rsyslogd ']'
+ '[' -z '' ']'
+ base=rsyslogd
+ __pids_var_run rsyslogd /var/run/syslogd.pid
+ local base=rsyslogd
+ local pid_file=/var/run/syslogd.pid
+ pid=
+ '[' -f /var/run/syslogd.pid ']'
+ return 3
+ '[' -n '' -a -z '' ']'
+ corelimit='ulimit -S -c 0'
+ '[' -n '' ']'
+ '[' -n '' ']'
+ '[' color = verbose -a -z '' ']'
+ '[' -z '' ']'
+ /bin/bash -c 'ulimit -S -c 0 >/dev/null 2>&1 ; /usr/sbin/rsyslogd -c 6'
...
(hangs here for a long time)
...
+ '[' 1 -eq 0 ']'
+ failure 'rsyslogd startup'
+ local rc=1
+ '[' color '!=' verbose -a -z '' ']'
+ echo_failure
+ '[' color = color ']'
+ echo -en '\033[.60G'
+ echo -n '['
[+ '[' color = color ']'
+ echo -en '\033[.0;31m'
+ echo -n FAILED
FAILED+ '[' color = color ']'
+ echo -en '\033[0;39m'
+ echo -n ']'
]+ echo -ne '\r'
+ return 1
+ '[' -x /usr/bin/plymouth ']'
+ /usr/bin/plymouth --details
+ return 1
+ RETVAL=1
+ echo

+ '[' 1 -eq 0 ']'
+ return 1
+ exit 1

I have tried to give 777-access to /var/run and /var/lock/subsys - but same
thing happens...

Thanks in advance :-) !

Br.
~maymann

2012/2/2 Rainer Gerhards <rgerhards [at] hq>

> I can only help you with that part if you point me to why exactly the
> script
> claims what it does. So you may want to try find someone who can do that. I
> know this is probably a trivial question, but I don't know anything ;)
>
> Sry, rainer
>
> > -----Original Message-----
> > From: rsyslog-bounces [at] lists [mailto:rsyslog-
> > bounces [at] lists] On Behalf Of Michael Maymann
> > Sent: Thursday, February 02, 2012 10:03 AM
> > To: rsyslog-users
> > Subject: Re: [rsyslog] rsyslog as non-root user
> >
> > Here is my startup script... only thing changed is the path to the new
> > 6.3.6-rsyslog-devel binary.
> > The startup-scripts works also perfectly when i comment out the
> > PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but failes if i
> > have
> > both or one of the entries...:
> > #!/bin/bash
> > #
> > # rsyslog Starts rsyslogd/rklogd.
> > #
> > #
> > # chkconfig: 2345 12 88
> > # description: Syslog is the facility by which many daemons use to log
> > \
> > # messages to various system log files. It is a good idea to always \
> > # run rsyslog.
> > ### BEGIN INIT INFO
> > # Provides: $syslog
> > # Required-Start: $local_fs
> > # Required-Stop: $local_fs
> > # Default-Start: 2 3 4 5
> > # Default-Stop: 0 1 6
> > # Short-Description: Enhanced system logging and kernel message
> > trapping
> > daemons
> > # Description: Rsyslog is an enhanced multi-threaded syslogd
> > supporting,
> > # among others, MySQL, syslog/tcp, RFC 3195, permitted
> > # sender lists, filtering on any message part, and fine
> > # grain output format control.
> > ### END INIT INFO
> >
> > # Source function library.
> > . /etc/init.d/functions
> >
> > RETVAL=0
> > PIDFILE=/var/run/syslogd.pid
> >
> > prog=rsyslogd
> > #exec=/sbin/rsyslogd
> > exec=/usr/sbin/rsyslogd
> > lockfile=/var/lock/subsys/$prog
> >
> > start() {
> > [ -x $exec ] || exit 5
> >
> > # Source config
> > if [ -f /etc/sysconfig/rsyslog ] ; then
> > . /etc/sysconfig/rsyslog
> > fi
> > umask 077
> >
> > echo -n $"Starting system logger: "
> > daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS
> > RETVAL=$?
> > echo
> > [ $RETVAL -eq 0 ] && touch $lockfile
> > return $RETVAL
> > }
> > stop() {
> > echo -n $"Shutting down system logger: "
> > killproc $prog
> > RETVAL=$?
> > echo
> > [ $RETVAL -eq 0 ] && rm -f $lockfile
> > return $RETVAL
> > }
> > reload() {
> > RETVAL=1
> > syslog=$(cat "${PIDFILE}" 2>/dev/null)
> > echo -n "Reloading system logger..."
> > if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then
> > kill -HUP "$syslog";
> > RETVAL=$?
> > fi
> > if [ $RETVAL -ne 0 ]; then
> > failure
> > else
> > success
> > fi
> > echo
> > return $RETVAL
> > }
> > rhstatus() {
> > status -p "${PIDFILE}" $prog
> > }
> > restart() {
> > stop
> > start
> > }
> >
> > case "$1" in
> > start)
> > start
> > ;;
> > stop)
> > stop
> > ;;
> > restart)
> > restart
> > ;;
> > reload|force-reload)
> > reload
> > ;;
> > status)
> > rhstatus
> > ;;
> > condrestart|try-restart)
> > rhstatus >/dev/null 2>&1 || exit 0
> > restart
> > ;;
> > *)
> > echo $"Usage: $0
> > {start|stop|restart|condrestart|try-restart|reload|force-
> > reload|status}"
> > exit 2
> > esac
> >
> > exit $?
> >
> > 2012/2/2 Rainer Gerhards <rgerhards [at] hq>
> >
> > >
> > >
> > > > -----Original Message-----
> > > > From: rsyslog-bounces [at] lists [mailto:rsyslog-
> > > > bounces [at] lists] On Behalf Of Michael Maymann
> > > > Sent: Wednesday, February 01, 2012 9:08 AM
> > > > To: rsyslog-users
> > > > Subject: Re: [rsyslog] rsyslog as non-root user
> > > >
> > > > Hi,
> > > >
> > > > David: thanks - got it working with permission dropping, by far my
> > > > prefered
> > > > configuration... just didn't know of it...:-) !
> > > > Rainer: please let us know if the debug info of the "permission
> > > > dropping:
> > > > hang+timeout" I send you can solve anything... anyway it works now
> > -
> > > > but
> > > > not optimal if other people have to service my setup...:-) !
> > >
> > > I have reviewed the debug log and I see nothing unexpected. From the
> > > timestamps I also see that there is no hang whatsoever. So it looks
> > like
> > > there is some problem with the startup script, which I don't know. I
> > > suggest
> > > to ask what the FAILED status is caused by. We can then look why this
> > > happens.
> > >
> > > Sorry I have no better answer...
> > > Rainer
> > >
> > > >
> > > > Thanks in advance :-) !
> > > > ~maymann
> > > >
> > > > 2012/2/1 <david [at] lang>
> > > >
> > > > > On Tue, 31 Jan 2012, Michael Maymann wrote:
> > > > >
> > > > > Hi,
> > > > >>
> > > > >> I have now setup a 6.3.6-devel rsyslog server that is working
> > fine
> > > > running
> > > > >> as root.
> > > > >> I would like to run it as non-root user as my logfiles are
> > located
> > > > on NFS
> > > > >> (and root export of NFS is generally not a good idea !).
> > > > >>
> > > > >> Here is my rsyslog.conf:
> > > > >> #LOAD MODULES
> > > > >> $ModLoad imudp
> > > > >> $UDPServerRun 514
> > > > >> $UDPServerAddress 127.0.0.1
> > > > >> $ModLoad imtcp
> > > > >> $InputTCPServerRun 514
> > > > >> #SET DESTINATION FOR LOGS
> > > > >> $template
> > > > >> DYNmessages,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
> > > > >> $MONTH%_messages"
> > > > >> $template
> > > > >>
> > > >
> > DYNsecure,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_secure"
> > > > >> $template
> > > > >>
> > > >
> > DYNmaillog,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_maillo
> > > > g"
> > > > >> $template
> > > > DYNcron,"<PATH_TO>/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_**
> > > > >> cron"
> > > > >> $template
> > > > >>
> > > >
> > DYNspooler,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_spoole
> > > > r"
> > > > >> $template
> > > > >>
> > > >
> > DYNboot,"<PATH_TO>/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_**boot.log"
> > > > >> $template
> > > > DYNtraps,"<PATH_TO>/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MONTH%_**
> > > > >> traps"
> > > > >> #SET LOGGING CONDITIONS
> > > > >> if $syslogseverity <= '6' then ?DYNmessages
> > > > >> if $syslogfacility-text == 'authpriv' then ?DYNsecure
> > > > >> if $syslogfacility-text == 'mail' then ?DYNmaillog
> > > > >> if $syslogfacility-text == 'cron' then ?DYNcron
> > > > >> if $syslogseverity-text == 'crit' then ?DYNspooler
> > > > >> if $syslogfacility-text == 'local7' then ?DYNboot
> > > > >> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
> > > > 'WARNING'
> > > > >> then ?DYNtraps
> > > > >>
> > > > >> Here is my logfile when I try to start rsyslog as a non-root
> > user:
> > > > >> 2012-01-31T15:45:52.997693+02:**00 <hostname> rsyslogd: [.origin
> > > > >> software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-info="
> > > > >> http://www.rsyslog.com"] start
> > > > >> 2012-01-31T15:45:52.997294+02:**00 <hostname> rsyslogd: bind:
> > > > Permission
> > > > >> denied
> > > > >> 2012-01-31T15:45:52.997369+02:**00 <hostname> rsyslogd: bind:
> > > > Permission
> > > > >> denied
> > > > >> 2012-01-31T15:45:52.997374+02:**00 <hostname> rsyslogd: No UDP
> > > > listen
> > > > >> socket
> > > > >> could successfully be initialized, message reception via UDP
> > > > disabled.
> > > > >> 2012-01-31T15:45:52.997376+02:**00 <hostname> rsyslogd: imudp:
> > no
> > > > >> listeners
> > > > >> could be started, input not activated.
> > > > >> 2012-01-31T15:45:52.997379+02:**00 <hostname> rsyslogd3:
> > activation
> > > > of
> > > > >> module
> > > > >> imudp failed [try http://www.rsyslog.com/e/-3 ]
> > > > >> 2012-01-31T15:45:52.997643+02:**00 <hostname> rsyslogd-2077:
> > Could
> > > > not
> > > > >> create
> > > > >> tcp listener, ignoring port 514. [try
> > http://www.rsyslog.com/e/2077
> > > > ]
> > > > >>
> > > > >> So permissions to bind and sockets seems to be the problem...
> > > > >>
> > > > >
> > > > > yes, you cannot bind to ports <1024 as a normal user (without
> > making
> > > > some
> > > > > other non-standard changes through sysctl)
> > > > >
> > > > >
> > > > > 1. Is it possible to make rsyslog write logfiles as a non-root
> > user
> > > > - if
> > > > >> yes: how ?
> > > > >>
> > > > >
> > > > > permission drop features
> > > > >
> > > > >
> > > > > 2a. Is it possible to add permissions for non-root user to run
> > > > rsyslog
> > > > >> server - if yes: how ?
> > > > >>
> > > > >
> > > > > pick a listening port > 1024 and it should work.
> > > > >
> > > > >
> > > > > 2b. How do I start rsyslog during boot as non-root user - can
> > > > chkconfig do
> > > > >> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ?
> > > > >>
> > > > >
> > > > > su can run a command as a different user.
> > > > >
> > > > > although as Rainer points out, you may just be looking for the
> > > > permission
> > > > > dropping features that are already in rsyslog.
> > > > >
> > > > > David Lang
> > > > >
> > > > > ______________________________**_________________
> > > > > rsyslog mailing list
> > > > >
> > > >
> > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
> > > > n.net/mailman/listinfo/rsyslog>
> > > > > http://www.rsyslog.com/**professional-
> > > > services/<http://www.rsyslog.com/professional-services/>
> > > > >
> > > > _______________________________________________
> > > > rsyslog mailing list
> > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > http://www.rsyslog.com/professional-services/
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com/professional-services/
> > >
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

michael at maymann

Feb 2, 2012, 5:28 AM

Post #11 of 37 (428 views)
Permalink

Re: rsyslog as non-root user [In reply to]

Hi Rainer,

I really have my doubts it has something to do with my startup script:
1. I only changed the exec=/usr/sbin/rsyslogd from default
2. It works perfectly when PrivDropTo is not used in rsyslog.conf.

I'm running on RHEL6.1_x64.
Do you have a working /etc/init.d/rsyslog what you can share/I can test...?

Thanks in advance :-) !
~maymann

2012/2/2 Michael Maymann <michael [at] maymann>

> Hi,
>
> Rainer: Sorry... forgot to mention that it doesn't say anything about
> failing in the logs... and it actually doesn't fail... it works and after
> the timeout+failed notice only the proccess owned by PrivDropToUser-USER is
> present, but now owned by the init-proccess (mother proccess dies):
>
> # service rsyslog start
> Starting system logger: [FAILED]
>
> BEFORE failed status:
> root 9126 9125 0 11:07 pts/1 00:00:00 /usr/sbin/rsyslogd -c 6
> <PrivDropToUser-USER> 9131 9126 0 11:07 ? 00:00:00
> /usr/sbin/rsyslogd -c 6
>
> AFTER failed status root-owned proccess is killed and PrivDropToUser-USER
> owned proccess is therefore gets owned by init:
> <PrivDropToUser-USER> 9131 1 0 11:07 ? 00:00:00
> /usr/sbin/rsyslogd -c 6
>
> Anyone who can help with this...?:
> here is the debug output when starting running the init-script:
> #/etc/init.d/rsyslog start
> + . /etc/init.d/functions
> ++ TEXTDOMAIN=initscripts
> ++ umask 022
> ++ PATH=/sbin:/usr/sbin:/bin:/usr/bin
> ++ export PATH
> ++ '[' -z '' ']'
> ++ COLUMNS=80
> ++ '[' -z '' ']'
> +++ /sbin/consoletype
> ++ CONSOLETYPE=pty
> ++ '[' -f /etc/sysconfig/i18n -a -z '' -a -z '' ']'
> ++ . /etc/profile.d/lang.sh
> ++ unset LANGSH_SOURCED
> ++ '[' -z '' ']'
> ++ '[' -f /etc/sysconfig/init ']'
> ++ . /etc/sysconfig/init
> +++ BOOTUP=color
> +++ RES_COL=60
> +++ MOVE_TO_COL='echo -en \033[.60G'
> +++ SETCOLOR_SUCCESS='echo -en \033[.0;32m'
> +++ SETCOLOR_FAILURE='echo -en \033[.0;31m'
> +++ SETCOLOR_WARNING='echo -en \033[.0;33m'
> +++ SETCOLOR_NORMAL='echo -en \033[0;39m'
> +++ PROMPT=yes
> +++ AUTOSWAP=no
> +++ ACTIVE_CONSOLES='/dev/tty[1-6]'
> +++ SINGLE=/sbin/sushell
> ++ '[' pty = serial ']'
> ++
> __sed_discard_ignored_files='/$~\|\.bak\|\.orig\|\.rpmnew\|\.rpmorig\|\.rpmsave$$/d'
> + RETVAL=0
> + PIDFILE=/var/run/syslogd.pid
> + prog=rsyslogd
> + exec=/usr/sbin/rsyslogd
> + lockfile=/var/lock/subsys/rsyslogd
> + case "$1" in
> + start
> + '[' -x /usr/sbin/rsyslogd ']'
> + '[' -f /etc/sysconfig/rsyslog ']'
> + . /etc/sysconfig/rsyslog
> ++ SYSLOGD_OPTIONS='-c 6'
> + umask 077
> + echo -n 'Starting system logger: '
> Starting system logger: + daemon --pidfile=/var/run/syslogd.pid
> /usr/sbin/rsyslogd -c 6
> + local gotbase= force= nicelevel corelimit
> + local pid base= user= nice= bg= pid_file=
> + local cgroup=
> + nicelevel=0
> + '[' --pidfile=/var/run/syslogd.pid '!=' -pidfile=/var/run/syslogd.pid ']'
> + case $1 in
> + pid_file=/var/run/syslogd.pid
> + shift
> + '[' /usr/sbin/rsyslogd '!=' /usr/sbin/rsyslogd ']'
> + '[' -z '' ']'
> + base=rsyslogd
> + __pids_var_run rsyslogd /var/run/syslogd.pid
> + local base=rsyslogd
> + local pid_file=/var/run/syslogd.pid
> + pid=
> + '[' -f /var/run/syslogd.pid ']'
> + return 3
> + '[' -n '' -a -z '' ']'
> + corelimit='ulimit -S -c 0'
> + '[' -n '' ']'
> + '[' -n '' ']'
> + '[' color = verbose -a -z '' ']'
> + '[' -z '' ']'
> + /bin/bash -c 'ulimit -S -c 0 >/dev/null 2>&1 ; /usr/sbin/rsyslogd -c 6'
> ...
> (hangs here for a long time)
> ...
> + '[' 1 -eq 0 ']'
> + failure 'rsyslogd startup'
> + local rc=1
> + '[' color '!=' verbose -a -z '' ']'
> + echo_failure
> + '[' color = color ']'
> + echo -en '\033[.60G'
> + echo -n '['
> [+ '[' color = color ']'
> + echo -en '\033[.0;31m'
> + echo -n FAILED
> FAILED+ '[' color = color ']'
> + echo -en '\033[0;39m'
> + echo -n ']'
> ]+ echo -ne '\r'
> + return 1
> + '[' -x /usr/bin/plymouth ']'
> + /usr/bin/plymouth --details
> + return 1
> + RETVAL=1
> + echo
>
> + '[' 1 -eq 0 ']'
> + return 1
> + exit 1
>
> I have tried to give 777-access to /var/run and /var/lock/subsys - but
> same thing happens...
>
>
>
> Thanks in advance :-) !
>
> Br.
> ~maymann
>
>
>
> 2012/2/2 Rainer Gerhards <rgerhards [at] hq>
>
>> I can only help you with that part if you point me to why exactly the
>> script
>> claims what it does. So you may want to try find someone who can do that.
>> I
>> know this is probably a trivial question, but I don't know anything ;)
>>
>> Sry, rainer
>>
>> > -----Original Message-----
>> > From: rsyslog-bounces [at] lists [mailto:rsyslog-
>> > bounces [at] lists] On Behalf Of Michael Maymann
>> > Sent: Thursday, February 02, 2012 10:03 AM
>> > To: rsyslog-users
>> > Subject: Re: [rsyslog] rsyslog as non-root user
>> >
>> > Here is my startup script... only thing changed is the path to the new
>> > 6.3.6-rsyslog-devel binary.
>> > The startup-scripts works also perfectly when i comment out the
>> > PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but failes if i
>> > have
>> > both or one of the entries...:
>> > #!/bin/bash
>> > #
>> > # rsyslog Starts rsyslogd/rklogd.
>> > #
>> > #
>> > # chkconfig: 2345 12 88
>> > # description: Syslog is the facility by which many daemons use to log
>> > \
>> > # messages to various system log files. It is a good idea to always \
>> > # run rsyslog.
>> > ### BEGIN INIT INFO
>> > # Provides: $syslog
>> > # Required-Start: $local_fs
>> > # Required-Stop: $local_fs
>> > # Default-Start: 2 3 4 5
>> > # Default-Stop: 0 1 6
>> > # Short-Description: Enhanced system logging and kernel message
>> > trapping
>> > daemons
>> > # Description: Rsyslog is an enhanced multi-threaded syslogd
>> > supporting,
>> > # among others, MySQL, syslog/tcp, RFC 3195, permitted
>> > # sender lists, filtering on any message part, and fine
>> > # grain output format control.
>> > ### END INIT INFO
>> >
>> > # Source function library.
>> > . /etc/init.d/functions
>> >
>> > RETVAL=0
>> > PIDFILE=/var/run/syslogd.pid
>> >
>> > prog=rsyslogd
>> > #exec=/sbin/rsyslogd
>> > exec=/usr/sbin/rsyslogd
>> > lockfile=/var/lock/subsys/$prog
>> >
>> > start() {
>> > [ -x $exec ] || exit 5
>> >
>> > # Source config
>> > if [ -f /etc/sysconfig/rsyslog ] ; then
>> > . /etc/sysconfig/rsyslog
>> > fi
>> > umask 077
>> >
>> > echo -n $"Starting system logger: "
>> > daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS
>> > RETVAL=$?
>> > echo
>> > [ $RETVAL -eq 0 ] && touch $lockfile
>> > return $RETVAL
>> > }
>> > stop() {
>> > echo -n $"Shutting down system logger: "
>> > killproc $prog
>> > RETVAL=$?
>> > echo
>> > [ $RETVAL -eq 0 ] && rm -f $lockfile
>> > return $RETVAL
>> > }
>> > reload() {
>> > RETVAL=1
>> > syslog=$(cat "${PIDFILE}" 2>/dev/null)
>> > echo -n "Reloading system logger..."
>> > if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then
>> > kill -HUP "$syslog";
>> > RETVAL=$?
>> > fi
>> > if [ $RETVAL -ne 0 ]; then
>> > failure
>> > else
>> > success
>> > fi
>> > echo
>> > return $RETVAL
>> > }
>> > rhstatus() {
>> > status -p "${PIDFILE}" $prog
>> > }
>> > restart() {
>> > stop
>> > start
>> > }
>> >
>> > case "$1" in
>> > start)
>> > start
>> > ;;
>> > stop)
>> > stop
>> > ;;
>> > restart)
>> > restart
>> > ;;
>> > reload|force-reload)
>> > reload
>> > ;;
>> > status)
>> > rhstatus
>> > ;;
>> > condrestart|try-restart)
>> > rhstatus >/dev/null 2>&1 || exit 0
>> > restart
>> > ;;
>> > *)
>> > echo $"Usage: $0
>> > {start|stop|restart|condrestart|try-restart|reload|force-
>> > reload|status}"
>> > exit 2
>> > esac
>> >
>> > exit $?
>> >
>> > 2012/2/2 Rainer Gerhards <rgerhards [at] hq>
>> >
>> > >
>> > >
>> > > > -----Original Message-----
>> > > > From: rsyslog-bounces [at] lists [mailto:rsyslog-
>> > > > bounces [at] lists] On Behalf Of Michael Maymann
>> > > > Sent: Wednesday, February 01, 2012 9:08 AM
>> > > > To: rsyslog-users
>> > > > Subject: Re: [rsyslog] rsyslog as non-root user
>> > > >
>> > > > Hi,
>> > > >
>> > > > David: thanks - got it working with permission dropping, by far my
>> > > > prefered
>> > > > configuration... just didn't know of it...:-) !
>> > > > Rainer: please let us know if the debug info of the "permission
>> > > > dropping:
>> > > > hang+timeout" I send you can solve anything... anyway it works now
>> > -
>> > > > but
>> > > > not optimal if other people have to service my setup...:-) !
>> > >
>> > > I have reviewed the debug log and I see nothing unexpected. From the
>> > > timestamps I also see that there is no hang whatsoever. So it looks
>> > like
>> > > there is some problem with the startup script, which I don't know. I
>> > > suggest
>> > > to ask what the FAILED status is caused by. We can then look why this
>> > > happens.
>> > >
>> > > Sorry I have no better answer...
>> > > Rainer
>> > >
>> > > >
>> > > > Thanks in advance :-) !
>> > > > ~maymann
>> > > >
>> > > > 2012/2/1 <david [at] lang>
>> > > >
>> > > > > On Tue, 31 Jan 2012, Michael Maymann wrote:
>> > > > >
>> > > > > Hi,
>> > > > >>
>> > > > >> I have now setup a 6.3.6-devel rsyslog server that is working
>> > fine
>> > > > running
>> > > > >> as root.
>> > > > >> I would like to run it as non-root user as my logfiles are
>> > located
>> > > > on NFS
>> > > > >> (and root export of NFS is generally not a good idea !).
>> > > > >>
>> > > > >> Here is my rsyslog.conf:
>> > > > >> #LOAD MODULES
>> > > > >> $ModLoad imudp
>> > > > >> $UDPServerRun 514
>> > > > >> $UDPServerAddress 127.0.0.1
>> > > > >> $ModLoad imtcp
>> > > > >> $InputTCPServerRun 514
>> > > > >> #SET DESTINATION FOR LOGS
>> > > > >> $template
>> > > > >> DYNmessages,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
>> > > > >> $MONTH%_messages"
>> > > > >> $template
>> > > > >>
>> > > >
>> > DYNsecure,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_secure"
>> > > > >> $template
>> > > > >>
>> > > >
>> > DYNmaillog,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_maillo
>> > > > g"
>> > > > >> $template
>> > > > DYNcron,"<PATH_TO>/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_**
>> > > > >> cron"
>> > > > >> $template
>> > > > >>
>> > > >
>> > DYNspooler,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_spoole
>> > > > r"
>> > > > >> $template
>> > > > >>
>> > > >
>> > DYNboot,"<PATH_TO>/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_**boot.log"
>> > > > >> $template
>> > > > DYNtraps,"<PATH_TO>/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MONTH%_**
>> > > > >> traps"
>> > > > >> #SET LOGGING CONDITIONS
>> > > > >> if $syslogseverity <= '6' then ?DYNmessages
>> > > > >> if $syslogfacility-text == 'authpriv' then ?DYNsecure
>> > > > >> if $syslogfacility-text == 'mail' then ?DYNmaillog
>> > > > >> if $syslogfacility-text == 'cron' then ?DYNcron
>> > > > >> if $syslogseverity-text == 'crit' then ?DYNspooler
>> > > > >> if $syslogfacility-text == 'local7' then ?DYNboot
>> > > > >> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
>> > > > 'WARNING'
>> > > > >> then ?DYNtraps
>> > > > >>
>> > > > >> Here is my logfile when I try to start rsyslog as a non-root
>> > user:
>> > > > >> 2012-01-31T15:45:52.997693+02:**00 <hostname> rsyslogd: [.origin
>> > > > >> software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-info="
>> > > > >> http://www.rsyslog.com"] start
>> > > > >> 2012-01-31T15:45:52.997294+02:**00 <hostname> rsyslogd: bind:
>> > > > Permission
>> > > > >> denied
>> > > > >> 2012-01-31T15:45:52.997369+02:**00 <hostname> rsyslogd: bind:
>> > > > Permission
>> > > > >> denied
>> > > > >> 2012-01-31T15:45:52.997374+02:**00 <hostname> rsyslogd: No UDP
>> > > > listen
>> > > > >> socket
>> > > > >> could successfully be initialized, message reception via UDP
>> > > > disabled.
>> > > > >> 2012-01-31T15:45:52.997376+02:**00 <hostname> rsyslogd: imudp:
>> > no
>> > > > >> listeners
>> > > > >> could be started, input not activated.
>> > > > >> 2012-01-31T15:45:52.997379+02:**00 <hostname> rsyslogd3:
>> > activation
>> > > > of
>> > > > >> module
>> > > > >> imudp failed [try http://www.rsyslog.com/e/-3 ]
>> > > > >> 2012-01-31T15:45:52.997643+02:**00 <hostname> rsyslogd-2077:
>> > Could
>> > > > not
>> > > > >> create
>> > > > >> tcp listener, ignoring port 514. [try
>> > http://www.rsyslog.com/e/2077
>> > > > ]
>> > > > >>
>> > > > >> So permissions to bind and sockets seems to be the problem...
>> > > > >>
>> > > > >
>> > > > > yes, you cannot bind to ports <1024 as a normal user (without
>> > making
>> > > > some
>> > > > > other non-standard changes through sysctl)
>> > > > >
>> > > > >
>> > > > > 1. Is it possible to make rsyslog write logfiles as a non-root
>> > user
>> > > > - if
>> > > > >> yes: how ?
>> > > > >>
>> > > > >
>> > > > > permission drop features
>> > > > >
>> > > > >
>> > > > > 2a. Is it possible to add permissions for non-root user to run
>> > > > rsyslog
>> > > > >> server - if yes: how ?
>> > > > >>
>> > > > >
>> > > > > pick a listening port > 1024 and it should work.
>> > > > >
>> > > > >
>> > > > > 2b. How do I start rsyslog during boot as non-root user - can
>> > > > chkconfig do
>> > > > >> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ?
>> > > > >>
>> > > > >
>> > > > > su can run a command as a different user.
>> > > > >
>> > > > > although as Rainer points out, you may just be looking for the
>> > > > permission
>> > > > > dropping features that are already in rsyslog.
>> > > > >
>> > > > > David Lang
>> > > > >
>> > > > > ______________________________**_________________
>> > > > > rsyslog mailing list
>> > > > >
>> > > >
>> > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
>> > > > n.net/mailman/listinfo/rsyslog>
>> > > > > http://www.rsyslog.com/**professional-
>> > > > services/<http://www.rsyslog.com/professional-services/>
>> > > > >
>> > > > _______________________________________________
>> > > > rsyslog mailing list
>> > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
>> > > > http://www.rsyslog.com/professional-services/
>> > > _______________________________________________
>> > > rsyslog mailing list
>> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
>> > > http://www.rsyslog.com/professional-services/
>> > >
>> > _______________________________________________
>> > rsyslog mailing list
>> > http://lists.adiscon.net/mailman/listinfo/rsyslog
>> > http://www.rsyslog.com/professional-services/
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>>
>
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

rgerhards at hq

Feb 2, 2012, 5:31 AM

Post #12 of 37 (428 views)
Permalink

Re: rsyslog as non-root user [In reply to]

> -----Original Message-----
> From: rsyslog-bounces [at] lists [mailto:rsyslog-
> bounces [at] lists] On Behalf Of Michael Maymann
> Sent: Thursday, February 02, 2012 2:29 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] rsyslog as non-root user
>
> Hi Rainer,
>
> I really have my doubts it has something to do with my startup script:
> 1. I only changed the exec=/usr/sbin/rsyslogd from default 2. It works
> perfectly when PrivDropTo is not used in rsyslog.conf.
>
> I'm running on RHEL6.1_x64.
> Do you have a working /etc/init.d/rsyslog what you can share/I can test...?

No

rg
>
>
> Thanks in advance :-) !
> ~maymann
>
> 2012/2/2 Michael Maymann <michael [at] maymann>
>
> > Hi,
> >
> > Rainer: Sorry... forgot to mention that it doesn't say anything about
> > failing in the logs... and it actually doesn't fail... it works and
> > after the timeout+failed notice only the proccess owned by
> > PrivDropToUser-USER is present, but now owned by the init-proccess
> (mother proccess dies):
> >
> > # service rsyslog start
> > Starting system logger: [FAILED]
> >
> > BEFORE failed status:
> > root 9126 9125 0 11:07 pts/1 00:00:00 /usr/sbin/rsyslogd -c 6
> > <PrivDropToUser-USER> 9131 9126 0 11:07 ? 00:00:00
> > /usr/sbin/rsyslogd -c 6
> >
> > AFTER failed status root-owned proccess is killed and
> > PrivDropToUser-USER owned proccess is therefore gets owned by init:
> > <PrivDropToUser-USER> 9131 1 0 11:07 ? 00:00:00
> > /usr/sbin/rsyslogd -c 6
> >
> > Anyone who can help with this...?:
> > here is the debug output when starting running the init-script:
> > #/etc/init.d/rsyslog start
> > + . /etc/init.d/functions
> > ++ TEXTDOMAIN=initscripts
> > ++ umask 022
> > ++ PATH=/sbin:/usr/sbin:/bin:/usr/bin
> > ++ export PATH
> > ++ '[' -z '' ']'
> > ++ COLUMNS=80
> > ++ '[' -z '' ']'
> > +++ /sbin/consoletype
> > ++ CONSOLETYPE=pty
> > ++ '[' -f /etc/sysconfig/i18n -a -z '' -a -z '' ']'
> > ++ . /etc/profile.d/lang.sh
> > ++ unset LANGSH_SOURCED
> > ++ '[' -z '' ']'
> > ++ '[' -f /etc/sysconfig/init ']'
> > ++ . /etc/sysconfig/init
> > +++ BOOTUP=color
> > +++ RES_COL=60
> > +++ MOVE_TO_COL='echo -en \033[.60G'
> > +++ SETCOLOR_SUCCESS='echo -en \033[.0;32m'
> > +++ SETCOLOR_FAILURE='echo -en \033[.0;31m'
> > +++ SETCOLOR_WARNING='echo -en \033[.0;33m'
> > +++ SETCOLOR_NORMAL='echo -en \033[.0;39m'
> > +++ PROMPT=yes
> > +++ AUTOSWAP=no
> > +++ ACTIVE_CONSOLES='/dev/tty[1-6]'
> > +++ SINGLE=/sbin/sushell
> > ++ '[' pty = serial ']'
> > ++
> >
> __sed_discard_ignored_files='/$~\|\.bak\|\.orig\|\.rpmnew\|\.rpmorig\|\
> .rpmsave$$/d'
> > + RETVAL=0
> > + PIDFILE=/var/run/syslogd.pid
> > + prog=rsyslogd
> > + exec=/usr/sbin/rsyslogd
> > + lockfile=/var/lock/subsys/rsyslogd
> > + case "$1" in
> > + start
> > + '[' -x /usr/sbin/rsyslogd ']'
> > + '[' -f /etc/sysconfig/rsyslog ']'
> > + . /etc/sysconfig/rsyslog
> > ++ SYSLOGD_OPTIONS='-c 6'
> > + umask 077
> > + echo -n 'Starting system logger: '
> > Starting system logger: + daemon --pidfile=/var/run/syslogd.pid
> > /usr/sbin/rsyslogd -c 6
> > + local gotbase= force= nicelevel corelimit local pid base= user=
> > + nice= bg= pid_file= local cgroup=
> > + nicelevel=0
> > + '[' --pidfile=/var/run/syslogd.pid '!=' -pidfile=/var/run/syslogd.pid
']'
> > + case $1 in
> > + pid_file=/var/run/syslogd.pid
> > + shift
> > + '[' /usr/sbin/rsyslogd '!=' /usr/sbin/rsyslogd ']'
> > + '[' -z '' ']'
> > + base=rsyslogd
> > + __pids_var_run rsyslogd /var/run/syslogd.pid local base=rsyslogd
> > + local pid_file=/var/run/syslogd.pid pid= '[' -f /var/run/syslogd.pid
> > + ']'
> > + return 3
> > + '[' -n '' -a -z '' ']'
> > + corelimit='ulimit -S -c 0'
> > + '[' -n '' ']'
> > + '[' -n '' ']'
> > + '[' color = verbose -a -z '' ']'
> > + '[' -z '' ']'
> > + /bin/bash -c 'ulimit -S -c 0 >/dev/null 2>&1 ; /usr/sbin/rsyslogd -c 6'
> > ...
> > (hangs here for a long time)
> > ...
> > + '[' 1 -eq 0 ']'
> > + failure 'rsyslogd startup'
> > + local rc=1
> > + '[' color '!=' verbose -a -z '' ']'
> > + echo_failure
> > + '[' color = color ']'
> > + echo -en '\033[.60G'
> > + echo -n '['
> > [+ '[' color = color ']'
> > + echo -en '\033[.0;31m'
> > + echo -n FAILED
> > FAILED+ '[' color = color ']'
> > + echo -en '\033[0;39m'
> > + echo -n ']'
> > ]+ echo -ne '\r'
> > + return 1
> > + '[' -x /usr/bin/plymouth ']'
> > + /usr/bin/plymouth --details
> > + return 1
> > + RETVAL=1
> > + echo
> >
> > + '[' 1 -eq 0 ']'
> > + return 1
> > + exit 1
> >
> > I have tried to give 777-access to /var/run and /var/lock/subsys - but
> > same thing happens...
> >
> >
> >
> > Thanks in advance :-) !
> >
> > Br.
> > ~maymann
> >
> >
> >
> > 2012/2/2 Rainer Gerhards <rgerhards [at] hq>
> >
> >> I can only help you with that part if you point me to why exactly the
> >> script claims what it does. So you may want to try find someone who
> >> can do that.
> >> I
> >> know this is probably a trivial question, but I don't know anything
> >> ;)
> >>
> >> Sry, rainer
> >>
> >> > -----Original Message-----
> >> > From: rsyslog-bounces [at] lists [mailto:rsyslog-
> >> > bounces [at] lists] On Behalf Of Michael Maymann
> >> > Sent: Thursday, February 02, 2012 10:03 AM
> >> > To: rsyslog-users
> >> > Subject: Re: [rsyslog] rsyslog as non-root user
> >> >
> >> > Here is my startup script... only thing changed is the path to the
> >> > new 6.3.6-rsyslog-devel binary.
> >> > The startup-scripts works also perfectly when i comment out the
> >> > PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but failes if
> >> > PrivDropToUser+i
> >> > have
> >> > both or one of the entries...:
> >> > #!/bin/bash
> >> > #
> >> > # rsyslog Starts rsyslogd/rklogd.
> >> > #
> >> > #
> >> > # chkconfig: 2345 12 88
> >> > # description: Syslog is the facility by which many daemons use to
> >> > log \ # messages to various system log files. It is a good idea to
> >> > always \ # run rsyslog.
> >> > ### BEGIN INIT INFO
> >> > # Provides: $syslog
> >> > # Required-Start: $local_fs
> >> > # Required-Stop: $local_fs
> >> > # Default-Start: 2 3 4 5
> >> > # Default-Stop: 0 1 6
> >> > # Short-Description: Enhanced system logging and kernel message
> >> > trapping daemons # Description: Rsyslog is an enhanced
> >> > multi-threaded syslogd supporting,
> >> > # among others, MySQL, syslog/tcp, RFC 3195, permitted
> >> > # sender lists, filtering on any message part, and fine
> >> > # grain output format control.
> >> > ### END INIT INFO
> >> >
> >> > # Source function library.
> >> > . /etc/init.d/functions
> >> >
> >> > RETVAL=0
> >> > PIDFILE=/var/run/syslogd.pid
> >> >
> >> > prog=rsyslogd
> >> > #exec=/sbin/rsyslogd
> >> > exec=/usr/sbin/rsyslogd
> >> > lockfile=/var/lock/subsys/$prog
> >> >
> >> > start() {
> >> > [ -x $exec ] || exit 5
> >> >
> >> > # Source config
> >> > if [ -f /etc/sysconfig/rsyslog ] ; then
> >> > . /etc/sysconfig/rsyslog
> >> > fi
> >> > umask 077
> >> >
> >> > echo -n $"Starting system logger: "
> >> > daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS
> >> > RETVAL=$?
> >> > echo
> >> > [ $RETVAL -eq 0 ] && touch $lockfile
> >> > return $RETVAL
> >> > }
> >> > stop() {
> >> > echo -n $"Shutting down system logger: "
> >> > killproc $prog
> >> > RETVAL=$?
> >> > echo
> >> > [ $RETVAL -eq 0 ] && rm -f $lockfile
> >> > return $RETVAL
> >> > }
> >> > reload() {
> >> > RETVAL=1
> >> > syslog=$(cat "${PIDFILE}" 2>/dev/null)
> >> > echo -n "Reloading system logger..."
> >> > if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then
> >> > kill -HUP "$syslog";
> >> > RETVAL=$?
> >> > fi
> >> > if [ $RETVAL -ne 0 ]; then
> >> > failure
> >> > else
> >> > success
> >> > fi
> >> > echo
> >> > return $RETVAL
> >> > }
> >> > rhstatus() {
> >> > status -p "${PIDFILE}" $prog }
> >> > restart() {
> >> > stop
> >> > start
> >> > }
> >> >
> >> > case "$1" in
> >> > start)
> >> > start
> >> > ;;
> >> > stop)
> >> > stop
> >> > ;;
> >> > restart)
> >> > restart
> >> > ;;
> >> > reload|force-reload)
> >> > reload
> >> > ;;
> >> > status)
> >> > rhstatus
> >> > ;;
> >> > condrestart|try-restart)
> >> > rhstatus >/dev/null 2>&1 || exit 0
> >> > restart
> >> > ;;
> >> > *)
> >> > echo $"Usage: $0
> >> > {start|stop|restart|condrestart|try-restart|reload|force-
> >> > reload|status}"
> >> > exit 2
> >> > esac
> >> >
> >> > exit $?
> >> >
> >> > 2012/2/2 Rainer Gerhards <rgerhards [at] hq>
> >> >
> >> > >
> >> > >
> >> > > > -----Original Message-----
> >> > > > From: rsyslog-bounces [at] lists [mailto:rsyslog-
> >> > > > bounces [at] lists] On Behalf Of Michael Maymann
> >> > > > Sent: Wednesday, February 01, 2012 9:08 AM
> >> > > > To: rsyslog-users
> >> > > > Subject: Re: [rsyslog] rsyslog as non-root user
> >> > > >
> >> > > > Hi,
> >> > > >
> >> > > > David: thanks - got it working with permission dropping, by far
> >> > > > my prefered configuration... just didn't know of it...:-) !
> >> > > > Rainer: please let us know if the debug info of the "permission
> >> > > > dropping:
> >> > > > hang+timeout" I send you can solve anything... anyway it works
> >> > > > hang+now
> >> > -
> >> > > > but
> >> > > > not optimal if other people have to service my setup...:-) !
> >> > >
> >> > > I have reviewed the debug log and I see nothing unexpected. From
> >> > > the timestamps I also see that there is no hang whatsoever. So it
> >> > > looks
> >> > like
> >> > > there is some problem with the startup script, which I don't
> >> > > know. I suggest to ask what the FAILED status is caused by. We
> >> > > can then look why this happens.
> >> > >
> >> > > Sorry I have no better answer...
> >> > > Rainer
> >> > >
> >> > > >
> >> > > > Thanks in advance :-) !
> >> > > > ~maymann
> >> > > >
> >> > > > 2012/2/1 <david [at] lang>
> >> > > >
> >> > > > > On Tue, 31 Jan 2012, Michael Maymann wrote:
> >> > > > >
> >> > > > > Hi,
> >> > > > >>
> >> > > > >> I have now setup a 6.3.6-devel rsyslog server that is
> >> > > > >> working
> >> > fine
> >> > > > running
> >> > > > >> as root.
> >> > > > >> I would like to run it as non-root user as my logfiles are
> >> > located
> >> > > > on NFS
> >> > > > >> (and root export of NFS is generally not a good idea !).
> >> > > > >>
> >> > > > >> Here is my rsyslog.conf:
> >> > > > >> #LOAD MODULES
> >> > > > >> $ModLoad imudp
> >> > > > >> $UDPServerRun 514
> >> > > > >> $UDPServerAddress 127.0.0.1
> >> > > > >> $ModLoad imtcp
> >> > > > >> $InputTCPServerRun 514
> >> > > > >> #SET DESTINATION FOR LOGS
> >> > > > >> $template
> >> > > > >>
> DYNmessages,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%
> **
> >> > > > >> $MONTH%_messages"
> >> > > > >> $template
> >> > > > >>
> >> > > >
> >> >
> DYNsecure,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
> $MONTH%_secure"
> >> > > > >> $template
> >> > > > >>
> >> > > >
> >> >
> DYNmaillog,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
> $MONTH%_ma
> >> > illo
> >> > > > g"
> >> > > > >> $template
> >> > > >
> DYNcron,"<PATH_TO>/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO
> NTH%_**
> >> > > > >> cron"
> >> > > > >> $template
> >> > > > >>
> >> > > >
> >> >
> DYNspooler,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
> $MONTH%_sp
> >> > oole
> >> > > > r"
> >> > > > >> $template
> >> > > > >>
> >> > > >
> >> >
> DYNboot,"<PATH_TO>/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO
> NTH%_**boot.log"
> >> > > > >> $template
> >> > > >
> DYNtraps,"<PATH_TO>/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO
> NTH%_**
> >> > > > >> traps"
> >> > > > >> #SET LOGGING CONDITIONS
> >> > > > >> if $syslogseverity <= '6' then ?DYNmessages if
> >> > > > >> $syslogfacility-text == 'authpriv' then ?DYNsecure if
> >> > > > >> $syslogfacility-text == 'mail' then ?DYNmaillog if
> >> > > > >> $syslogfacility-text == 'cron' then ?DYNcron if
> >> > > > >> $syslogseverity-text == 'crit' then ?DYNspooler if
> >> > > > >> $syslogfacility-text == 'local7' then ?DYNboot if
> >> > > > >> $syslogfacility-text == 'local6' and $syslogseverity-text ==
> >> > > > 'WARNING'
> >> > > > >> then ?DYNtraps
> >> > > > >>
> >> > > > >> Here is my logfile when I try to start rsyslog as a non-root
> >> > user:
> >> > > > >> 2012-01-31T15:45:52.997693+02:**00 <hostname> rsyslogd:
> >> > > > >> [origin software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-
> info="
> >> > > > >> http://www.rsyslog.com"] start
> >> > > > >> 2012-01-31T15:45:52.997294+02:**00 <hostname> rsyslogd: bind:
> >> > > > Permission
> >> > > > >> denied
> >> > > > >> 2012-01-31T15:45:52.997369+02:**00 <hostname> rsyslogd: bind:
> >> > > > Permission
> >> > > > >> denied
> >> > > > >> 2012-01-31T15:45:52.997374+02:**00 <hostname> rsyslogd: No
> >> > > > >> UDP
> >> > > > listen
> >> > > > >> socket
> >> > > > >> could successfully be initialized, message reception via UDP
> >> > > > disabled.
> >> > > > >> 2012-01-31T15:45:52.997376+02:**00 <hostname> rsyslogd:
> imudp:
> >> > no
> >> > > > >> listeners
> >> > > > >> could be started, input not activated.
> >> > > > >> 2012-01-31T15:45:52.997379+02:**00 <hostname> rsyslogd3:
> >> > activation
> >> > > > of
> >> > > > >> module
> >> > > > >> imudp failed [try http://www.rsyslog.com/e/-3 ]
> >> > > > >> 2012-01-31T15:45:52.997643+02:**00 <hostname> rsyslogd-2077:
> >> > Could
> >> > > > not
> >> > > > >> create
> >> > > > >> tcp listener, ignoring port 514. [try
> >> > http://www.rsyslog.com/e/2077
> >> > > > ]
> >> > > > >>
> >> > > > >> So permissions to bind and sockets seems to be the problem...
> >> > > > >>
> >> > > > >
> >> > > > > yes, you cannot bind to ports <1024 as a normal user (without
> >> > making
> >> > > > some
> >> > > > > other non-standard changes through sysctl)
> >> > > > >
> >> > > > >
> >> > > > > 1. Is it possible to make rsyslog write logfiles as a
> >> > > > > non-root
> >> > user
> >> > > > - if
> >> > > > >> yes: how ?
> >> > > > >>
> >> > > > >
> >> > > > > permission drop features
> >> > > > >
> >> > > > >
> >> > > > > 2a. Is it possible to add permissions for non-root user to
> >> > > > > run
> >> > > > rsyslog
> >> > > > >> server - if yes: how ?
> >> > > > >>
> >> > > > >
> >> > > > > pick a listening port > 1024 and it should work.
> >> > > > >
> >> > > > >
> >> > > > > 2b. How do I start rsyslog during boot as non-root user -
> >> > > > > can
> >> > > > chkconfig do
> >> > > > >> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ?
> >> > > > >>
> >> > > > >
> >> > > > > su can run a command as a different user.
> >> > > > >
> >> > > > > although as Rainer points out, you may just be looking for
> >> > > > > the
> >> > > > permission
> >> > > > > dropping features that are already in rsyslog.
> >> > > > >
> >> > > > > David Lang
> >> > > > >
> >> > > > > ______________________________**_________________
> >> > > > > rsyslog mailing list
> >> > > > >
> >> > > >
> >> > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.ad
> >> > isco
> >> > > > n.net/mailman/listinfo/rsyslog>
> >> > > > > http://www.rsyslog.com/**professional-
> >> > > > services/<http://www.rsyslog.com/professional-services/>
> >> > > > >
> >> > > > _______________________________________________
> >> > > > rsyslog mailing list
> >> > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> > > > http://www.rsyslog.com/professional-services/
> >> > > _______________________________________________
> >> > > rsyslog mailing list
> >> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> > > http://www.rsyslog.com/professional-services/
> >> > >
> >> > _______________________________________________
> >> > rsyslog mailing list
> >> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> > http://www.rsyslog.com/professional-services/
> >> _______________________________________________
> >> rsyslog mailing list
> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com/professional-services/
> >>
> >
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

michael at maymann

Feb 2, 2012, 5:32 AM

Post #13 of 37 (426 views)
Permalink

Re: rsyslog as non-root user [In reply to]

Anyone...?

2012/2/2 Rainer Gerhards <rgerhards [at] hq>

>
>
> > -----Original Message-----
> > From: rsyslog-bounces [at] lists [mailto:rsyslog-
> > bounces [at] lists] On Behalf Of Michael Maymann
> > Sent: Thursday, February 02, 2012 2:29 PM
> > To: rsyslog-users
> > Subject: Re: [rsyslog] rsyslog as non-root user
> >
> > Hi Rainer,
> >
> > I really have my doubts it has something to do with my startup script:
> > 1. I only changed the exec=/usr/sbin/rsyslogd from default 2. It works
> > perfectly when PrivDropTo is not used in rsyslog.conf.
> >
> > I'm running on RHEL6.1_x64.
> > Do you have a working /etc/init.d/rsyslog what you can share/I can
> test...?
>
> No
>
> rg
> >
> >
> > Thanks in advance :-) !
> > ~maymann
> >
> > 2012/2/2 Michael Maymann <michael [at] maymann>
> >
> > > Hi,
> > >
> > > Rainer: Sorry... forgot to mention that it doesn't say anything about
> > > failing in the logs... and it actually doesn't fail... it works and
> > > after the timeout+failed notice only the proccess owned by
> > > PrivDropToUser-USER is present, but now owned by the init-proccess
> > (mother proccess dies):
> > >
> > > # service rsyslog start
> > > Starting system logger: [FAILED]
> > >
> > > BEFORE failed status:
> > > root 9126 9125 0 11:07 pts/1 00:00:00 /usr/sbin/rsyslogd -c 6
> > > <PrivDropToUser-USER> 9131 9126 0 11:07 ? 00:00:00
> > > /usr/sbin/rsyslogd -c 6
> > >
> > > AFTER failed status root-owned proccess is killed and
> > > PrivDropToUser-USER owned proccess is therefore gets owned by init:
> > > <PrivDropToUser-USER> 9131 1 0 11:07 ? 00:00:00
> > > /usr/sbin/rsyslogd -c 6
> > >
> > > Anyone who can help with this...?:
> > > here is the debug output when starting running the init-script:
> > > #/etc/init.d/rsyslog start
> > > + . /etc/init.d/functions
> > > ++ TEXTDOMAIN=initscripts
> > > ++ umask 022
> > > ++ PATH=/sbin:/usr/sbin:/bin:/usr/bin
> > > ++ export PATH
> > > ++ '[' -z '' ']'
> > > ++ COLUMNS=80
> > > ++ '[' -z '' ']'
> > > +++ /sbin/consoletype
> > > ++ CONSOLETYPE=pty
> > > ++ '[' -f /etc/sysconfig/i18n -a -z '' -a -z '' ']'
> > > ++ . /etc/profile.d/lang.sh
> > > ++ unset LANGSH_SOURCED
> > > ++ '[' -z '' ']'
> > > ++ '[' -f /etc/sysconfig/init ']'
> > > ++ . /etc/sysconfig/init
> > > +++ BOOTUP=color
> > > +++ RES_COL=60
> > > +++ MOVE_TO_COL='echo -en \033[.60G'
> > > +++ SETCOLOR_SUCCESS='echo -en \033[.0;32m'
> > > +++ SETCOLOR_FAILURE='echo -en \033[.0;31m'
> > > +++ SETCOLOR_WARNING='echo -en \033[.0;33m'
> > > +++ SETCOLOR_NORMAL='echo -en \033[.0;39m'
> > > +++ PROMPT=yes
> > > +++ AUTOSWAP=no
> > > +++ ACTIVE_CONSOLES='/dev/tty[1-6]'
> > > +++ SINGLE=/sbin/sushell
> > > ++ '[' pty = serial ']'
> > > ++
> > >
> > __sed_discard_ignored_files='/$~\|\.bak\|\.orig\|\.rpmnew\|\.rpmorig\|\
> > .rpmsave$$/d'
> > > + RETVAL=0
> > > + PIDFILE=/var/run/syslogd.pid
> > > + prog=rsyslogd
> > > + exec=/usr/sbin/rsyslogd
> > > + lockfile=/var/lock/subsys/rsyslogd
> > > + case "$1" in
> > > + start
> > > + '[' -x /usr/sbin/rsyslogd ']'
> > > + '[' -f /etc/sysconfig/rsyslog ']'
> > > + . /etc/sysconfig/rsyslog
> > > ++ SYSLOGD_OPTIONS='-c 6'
> > > + umask 077
> > > + echo -n 'Starting system logger: '
> > > Starting system logger: + daemon --pidfile=/var/run/syslogd.pid
> > > /usr/sbin/rsyslogd -c 6
> > > + local gotbase= force= nicelevel corelimit local pid base= user=
> > > + nice= bg= pid_file= local cgroup=
> > > + nicelevel=0
> > > + '[' --pidfile=/var/run/syslogd.pid '!=' -pidfile=/var/run/syslogd.pid
> ']'
> > > + case $1 in
> > > + pid_file=/var/run/syslogd.pid
> > > + shift
> > > + '[' /usr/sbin/rsyslogd '!=' /usr/sbin/rsyslogd ']'
> > > + '[' -z '' ']'
> > > + base=rsyslogd
> > > + __pids_var_run rsyslogd /var/run/syslogd.pid local base=rsyslogd
> > > + local pid_file=/var/run/syslogd.pid pid= '[' -f /var/run/syslogd.pid
> > > + ']'
> > > + return 3
> > > + '[' -n '' -a -z '' ']'
> > > + corelimit='ulimit -S -c 0'
> > > + '[' -n '' ']'
> > > + '[' -n '' ']'
> > > + '[' color = verbose -a -z '' ']'
> > > + '[' -z '' ']'
> > > + /bin/bash -c 'ulimit -S -c 0 >/dev/null 2>&1 ; /usr/sbin/rsyslogd -c
> 6'
> > > ...
> > > (hangs here for a long time)
> > > ...
> > > + '[' 1 -eq 0 ']'
> > > + failure 'rsyslogd startup'
> > > + local rc=1
> > > + '[' color '!=' verbose -a -z '' ']'
> > > + echo_failure
> > > + '[' color = color ']'
> > > + echo -en '\033[60G'
> > > + echo -n
> '['
> > > [+ '[' color = color ']'
> > > + echo -en '\033[.0;31m'
> > > + echo -n FAILED
> > > FAILED+ '[' color = color ']'
> > > + echo -en '\033[0;39m'
> > > + echo -n ']'
> > > ]+ echo -ne '\r'
> > > + return 1
> > > + '[' -x /usr/bin/plymouth ']'
> > > + /usr/bin/plymouth --details
> > > + return 1
> > > + RETVAL=1
> > > + echo
> > >
> > > + '[' 1 -eq 0 ']'
> > > + return 1
> > > + exit 1
> > >
> > > I have tried to give 777-access to /var/run and /var/lock/subsys - but
> > > same thing happens...
> > >
> > >
> > >
> > > Thanks in advance :-) !
> > >
> > > Br.
> > > ~maymann
> > >
> > >
> > >
> > > 2012/2/2 Rainer Gerhards <rgerhards [at] hq>
> > >
> > >> I can only help you with that part if you point me to why exactly the
> > >> script claims what it does. So you may want to try find someone who
> > >> can do that.
> > >> I
> > >> know this is probably a trivial question, but I don't know anything
> > >> ;)
> > >>
> > >> Sry, rainer
> > >>
> > >> > -----Original Message-----
> > >> > From: rsyslog-bounces [at] lists [mailto:rsyslog-
> > >> > bounces [at] lists] On Behalf Of Michael Maymann
> > >> > Sent: Thursday, February 02, 2012 10:03 AM
> > >> > To: rsyslog-users
> > >> > Subject: Re: [rsyslog] rsyslog as non-root user
> > >> >
> > >> > Here is my startup script... only thing changed is the path to the
> > >> > new 6.3.6-rsyslog-devel binary.
> > >> > The startup-scripts works also perfectly when i comment out the
> > >> > PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but failes if
> > >> > PrivDropToUser+i
> > >> > have
> > >> > both or one of the entries...:
> > >> > #!/bin/bash
> > >> > #
> > >> > # rsyslog Starts rsyslogd/rklogd.
> > >> > #
> > >> > #
> > >> > # chkconfig: 2345 12 88
> > >> > # description: Syslog is the facility by which many daemons use to
> > >> > log \ # messages to various system log files. It is a good idea to
> > >> > always \ # run rsyslog.
> > >> > ### BEGIN INIT INFO
> > >> > # Provides: $syslog
> > >> > # Required-Start: $local_fs
> > >> > # Required-Stop: $local_fs
> > >> > # Default-Start: 2 3 4 5
> > >> > # Default-Stop: 0 1 6
> > >> > # Short-Description: Enhanced system logging and kernel message
> > >> > trapping daemons # Description: Rsyslog is an enhanced
> > >> > multi-threaded syslogd supporting,
> > >> > # among others, MySQL, syslog/tcp, RFC 3195, permitted
> > >> > # sender lists, filtering on any message part, and fine
> > >> > # grain output format control.
> > >> > ### END INIT INFO
> > >> >
> > >> > # Source function library.
> > >> > . /etc/init.d/functions
> > >> >
> > >> > RETVAL=0
> > >> > PIDFILE=/var/run/syslogd.pid
> > >> >
> > >> > prog=rsyslogd
> > >> > #exec=/sbin/rsyslogd
> > >> > exec=/usr/sbin/rsyslogd
> > >> > lockfile=/var/lock/subsys/$prog
> > >> >
> > >> > start() {
> > >> > [ -x $exec ] || exit 5
> > >> >
> > >> > # Source config
> > >> > if [ -f /etc/sysconfig/rsyslog ] ; then
> > >> > . /etc/sysconfig/rsyslog
> > >> > fi
> > >> > umask 077
> > >> >
> > >> > echo -n $"Starting system logger: "
> > >> > daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS
> > >> > RETVAL=$?
> > >> > echo
> > >> > [ $RETVAL -eq 0 ] && touch $lockfile
> > >> > return $RETVAL
> > >> > }
> > >> > stop() {
> > >> > echo -n $"Shutting down system logger: "
> > >> > killproc $prog
> > >> > RETVAL=$?
> > >> > echo
> > >> > [ $RETVAL -eq 0 ] && rm -f $lockfile
> > >> > return $RETVAL
> > >> > }
> > >> > reload() {
> > >> > RETVAL=1
> > >> > syslog=$(cat "${PIDFILE}" 2>/dev/null)
> > >> > echo -n "Reloading system logger..."
> > >> > if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then
> > >> > kill -HUP "$syslog";
> > >> > RETVAL=$?
> > >> > fi
> > >> > if [ $RETVAL -ne 0 ]; then
> > >> > failure
> > >> > else
> > >> > success
> > >> > fi
> > >> > echo
> > >> > return $RETVAL
> > >> > }
> > >> > rhstatus() {
> > >> > status -p "${PIDFILE}" $prog }
> > >> > restart() {
> > >> > stop
> > >> > start
> > >> > }
> > >> >
> > >> > case "$1" in
> > >> > start)
> > >> > start
> > >> > ;;
> > >> > stop)
> > >> > stop
> > >> > ;;
> > >> > restart)
> > >> > restart
> > >> > ;;
> > >> > reload|force-reload)
> > >> > reload
> > >> > ;;
> > >> > status)
> > >> > rhstatus
> > >> > ;;
> > >> > condrestart|try-restart)
> > >> > rhstatus >/dev/null 2>&1 || exit 0
> > >> > restart
> > >> > ;;
> > >> > *)
> > >> > echo $"Usage: $0
> > >> > {start|stop|restart|condrestart|try-restart|reload|force-
> > >> > reload|status}"
> > >> > exit 2
> > >> > esac
> > >> >
> > >> > exit $?
> > >> >
> > >> > 2012/2/2 Rainer Gerhards <rgerhards [at] hq>
> > >> >
> > >> > >
> > >> > >
> > >> > > > -----Original Message-----
> > >> > > > From: rsyslog-bounces [at] lists [mailto:rsyslog-
> > >> > > > bounces [at] lists] On Behalf Of Michael Maymann
> > >> > > > Sent: Wednesday, February 01, 2012 9:08 AM
> > >> > > > To: rsyslog-users
> > >> > > > Subject: Re: [rsyslog] rsyslog as non-root user
> > >> > > >
> > >> > > > Hi,
> > >> > > >
> > >> > > > David: thanks - got it working with permission dropping, by far
> > >> > > > my prefered configuration... just didn't know of it...:-) !
> > >> > > > Rainer: please let us know if the debug info of the "permission
> > >> > > > dropping:
> > >> > > > hang+timeout" I send you can solve anything... anyway it works
> > >> > > > hang+now
> > >> > -
> > >> > > > but
> > >> > > > not optimal if other people have to service my setup...:-) !
> > >> > >
> > >> > > I have reviewed the debug log and I see nothing unexpected. From
> > >> > > the timestamps I also see that there is no hang whatsoever. So it
> > >> > > looks
> > >> > like
> > >> > > there is some problem with the startup script, which I don't
> > >> > > know. I suggest to ask what the FAILED status is caused by. We
> > >> > > can then look why this happens.
> > >> > >
> > >> > > Sorry I have no better answer...
> > >> > > Rainer
> > >> > >
> > >> > > >
> > >> > > > Thanks in advance :-) !
> > >> > > > ~maymann
> > >> > > >
> > >> > > > 2012/2/1 <david [at] lang>
> > >> > > >
> > >> > > > > On Tue, 31 Jan 2012, Michael Maymann wrote:
> > >> > > > >
> > >> > > > > Hi,
> > >> > > > >>
> > >> > > > >> I have now setup a 6.3.6-devel rsyslog server that is
> > >> > > > >> working
> > >> > fine
> > >> > > > running
> > >> > > > >> as root.
> > >> > > > >> I would like to run it as non-root user as my logfiles are
> > >> > located
> > >> > > > on NFS
> > >> > > > >> (and root export of NFS is generally not a good idea !).
> > >> > > > >>
> > >> > > > >> Here is my rsyslog.conf:
> > >> > > > >> #LOAD MODULES
> > >> > > > >> $ModLoad imudp
> > >> > > > >> $UDPServerRun 514
> > >> > > > >> $UDPServerAddress 127.0.0.1
> > >> > > > >> $ModLoad imtcp
> > >> > > > >> $InputTCPServerRun 514
> > >> > > > >> #SET DESTINATION FOR LOGS
> > >> > > > >> $template
> > >> > > > >>
> > DYNmessages,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%
> > **
> > >> > > > >> $MONTH%_messages"
> > >> > > > >> $template
> > >> > > > >>
> > >> > > >
> > >> >
> > DYNsecure,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
> > $MONTH%_secure"
> > >> > > > >> $template
> > >> > > > >>
> > >> > > >
> > >> >
> > DYNmaillog,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
> > $MONTH%_ma
> > >> > illo
> > >> > > > g"
> > >> > > > >> $template
> > >> > > >
> > DYNcron,"<PATH_TO>/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO
> > NTH%_**
> > >> > > > >> cron"
> > >> > > > >> $template
> > >> > > > >>
> > >> > > >
> > >> >
> > DYNspooler,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
> > $MONTH%_sp
> > >> > oole
> > >> > > > r"
> > >> > > > >> $template
> > >> > > > >>
> > >> > > >
> > >> >
> > DYNboot,"<PATH_TO>/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO
> > NTH%_**boot.log"
> > >> > > > >> $template
> > >> > > >
> > DYNtraps,"<PATH_TO>/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO
> > NTH%_**
> > >> > > > >> traps"
> > >> > > > >> #SET LOGGING CONDITIONS
> > >> > > > >> if $syslogseverity <= '6' then ?DYNmessages if
> > >> > > > >> $syslogfacility-text == 'authpriv' then ?DYNsecure if
> > >> > > > >> $syslogfacility-text == 'mail' then ?DYNmaillog if
> > >> > > > >> $syslogfacility-text == 'cron' then ?DYNcron if
> > >> > > > >> $syslogseverity-text == 'crit' then ?DYNspooler if
> > >> > > > >> $syslogfacility-text == 'local7' then ?DYNboot if
> > >> > > > >> $syslogfacility-text == 'local6' and $syslogseverity-text ==
> > >> > > > 'WARNING'
> > >> > > > >> then ?DYNtraps
> > >> > > > >>
> > >> > > > >> Here is my logfile when I try to start rsyslog as a non-root
> > >> > user:
> > >> > > > >> 2012-01-31T15:45:52.997693+02:**00 <hostname> rsyslogd:
> > >> > > > >> [origin software="rsyslogd" swVersion="6.3.6" x-pid="26185"
> x-
> > info="
> > >> > > > >> http://www.rsyslog.com"] start
> > >> > > > >> 2012-01-31T15:45:52.997294+02:**00 <hostname> rsyslogd: bind:
> > >> > > > Permission
> > >> > > > >> denied
> > >> > > > >> 2012-01-31T15:45:52.997369+02:**00 <hostname> rsyslogd: bind:
> > >> > > > Permission
> > >> > > > >> denied
> > >> > > > >> 2012-01-31T15:45:52.997374+02:**00 <hostname> rsyslogd: No
> > >> > > > >> UDP
> > >> > > > listen
> > >> > > > >> socket
> > >> > > > >> could successfully be initialized, message reception via UDP
> > >> > > > disabled.
> > >> > > > >> 2012-01-31T15:45:52.997376+02:**00 <hostname> rsyslogd:
> > imudp:
> > >> > no
> > >> > > > >> listeners
> > >> > > > >> could be started, input not activated.
> > >> > > > >> 2012-01-31T15:45:52.997379+02:**00 <hostname> rsyslogd3:
> > >> > activation
> > >> > > > of
> > >> > > > >> module
> > >> > > > >> imudp failed [try http://www.rsyslog.com/e/-3 ]
> > >> > > > >> 2012-01-31T15:45:52.997643+02:**00 <hostname> rsyslogd-2077:
> > >> > Could
> > >> > > > not
> > >> > > > >> create
> > >> > > > >> tcp listener, ignoring port 514. [try
> > >> > http://www.rsyslog.com/e/2077
> > >> > > > ]
> > >> > > > >>
> > >> > > > >> So permissions to bind and sockets seems to be the problem...
> > >> > > > >>
> > >> > > > >
> > >> > > > > yes, you cannot bind to ports <1024 as a normal user (without
> > >> > making
> > >> > > > some
> > >> > > > > other non-standard changes through sysctl)
> > >> > > > >
> > >> > > > >
> > >> > > > > 1. Is it possible to make rsyslog write logfiles as a
> > >> > > > > non-root
> > >> > user
> > >> > > > - if
> > >> > > > >> yes: how ?
> > >> > > > >>
> > >> > > > >
> > >> > > > > permission drop features
> > >> > > > >
> > >> > > > >
> > >> > > > > 2a. Is it possible to add permissions for non-root user to
> > >> > > > > run
> > >> > > > rsyslog
> > >> > > > >> server - if yes: how ?
> > >> > > > >>
> > >> > > > >
> > >> > > > > pick a listening port > 1024 and it should work.
> > >> > > > >
> > >> > > > >
> > >> > > > > 2b. How do I start rsyslog during boot as non-root user -
> > >> > > > > can
> > >> > > > chkconfig do
> > >> > > > >> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ?
> > >> > > > >>
> > >> > > > >
> > >> > > > > su can run a command as a different user.
> > >> > > > >
> > >> > > > > although as Rainer points out, you may just be looking for
> > >> > > > > the
> > >> > > > permission
> > >> > > > > dropping features that are already in rsyslog.
> > >> > > > >
> > >> > > > > David Lang
> > >> > > > >
> > >> > > > > ______________________________**_________________
> > >> > > > > rsyslog mailing list
> > >> > > > >
> > >> > > >
> > >> > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.ad
> > >> > isco
> > >> > > > n.net/mailman/listinfo/rsyslog>
> > >> > > > > http://www.rsyslog.com/**professional-
> > >> > > > services/<http://www.rsyslog.com/professional-services/>
> > >> > > > >
> > >> > > > _______________________________________________
> > >> > > > rsyslog mailing list
> > >> > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > >> > > > http://www.rsyslog.com/professional-services/
> > >> > > _______________________________________________
> > >> > > rsyslog mailing list
> > >> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > >> > > http://www.rsyslog.com/professional-services/
> > >> > >
> > >> > _______________________________________________
> > >> > rsyslog mailing list
> > >> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > >> > http://www.rsyslog.com/professional-services/
> > >> _______________________________________________
> > >> rsyslog mailing list
> > >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> > >> http://www.rsyslog.com/professional-services/
> > >>
> > >
> > >
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

michael at maymann

Feb 2, 2012, 6:10 AM

Post #14 of 37 (426 views)
Permalink

Re: rsyslog as non-root user [In reply to]

bugreport created...
http://bugzilla.adiscon.com/show_bug.cgi?id=306

Br.
~maymann

2012/2/2 Michael Maymann <michael [at] maymann>

> Anyone...?
>
>
> 2012/2/2 Rainer Gerhards <rgerhards [at] hq>
>
>>
>>
>> > -----Original Message-----
>> > From: rsyslog-bounces [at] lists [mailto:rsyslog-
>> > bounces [at] lists] On Behalf Of Michael Maymann
>> > Sent: Thursday, February 02, 2012 2:29 PM
>> > To: rsyslog-users
>> > Subject: Re: [rsyslog] rsyslog as non-root user
>> >
>> > Hi Rainer,
>> >
>> > I really have my doubts it has something to do with my startup script:
>> > 1. I only changed the exec=/usr/sbin/rsyslogd from default 2. It works
>> > perfectly when PrivDropTo is not used in rsyslog.conf.
>> >
>> > I'm running on RHEL6.1_x64.
>> > Do you have a working /etc/init.d/rsyslog what you can share/I can
>> test...?
>>
>> No
>>
>> rg
>> >
>> >
>> > Thanks in advance :-) !
>> > ~maymann
>> >
>> > 2012/2/2 Michael Maymann <michael [at] maymann>
>> >
>> > > Hi,
>> > >
>> > > Rainer: Sorry... forgot to mention that it doesn't say anything about
>> > > failing in the logs... and it actually doesn't fail... it works and
>> > > after the timeout+failed notice only the proccess owned by
>> > > PrivDropToUser-USER is present, but now owned by the init-proccess
>> > (mother proccess dies):
>> > >
>> > > # service rsyslog start
>> > > Starting system logger: [FAILED]
>> > >
>> > > BEFORE failed status:
>> > > root 9126 9125 0 11:07 pts/1 00:00:00 /usr/sbin/rsyslogd -c
>> 6
>> > > <PrivDropToUser-USER> 9131 9126 0 11:07 ? 00:00:00
>> > > /usr/sbin/rsyslogd -c 6
>> > >
>> > > AFTER failed status root-owned proccess is killed and
>> > > PrivDropToUser-USER owned proccess is therefore gets owned by init:
>> > > <PrivDropToUser-USER> 9131 1 0 11:07 ? 00:00:00
>> > > /usr/sbin/rsyslogd -c 6
>> > >
>> > > Anyone who can help with this...?:
>> > > here is the debug output when starting running the init-script:
>> > > #/etc/init.d/rsyslog start
>> > > + . /etc/init.d/functions
>> > > ++ TEXTDOMAIN=initscripts
>> > > ++ umask 022
>> > > ++ PATH=/sbin:/usr/sbin:/bin:/usr/bin
>> > > ++ export PATH
>> > > ++ '[' -z '' ']'
>> > > ++ COLUMNS=80
>> > > ++ '[' -z '' ']'
>> > > +++ /sbin/consoletype
>> > > ++ CONSOLETYPE=pty
>> > > ++ '[' -f /etc/sysconfig/i18n -a -z '' -a -z '' ']'
>> > > ++ . /etc/profile.d/lang.sh
>> > > ++ unset LANGSH_SOURCED
>> > > ++ '[' -z '' ']'
>> > > ++ '[' -f /etc/sysconfig/init ']'
>> > > ++ . /etc/sysconfig/init
>> > > +++ BOOTUP=color
>> > > +++ RES_COL=60
>> > > +++ MOVE_TO_COL='echo -en \033[.60G'
>> > > +++ SETCOLOR_SUCCESS='echo -en \033[.0;32m'
>> > > +++ SETCOLOR_FAILURE='echo -en \033[.0;31m'
>> > > +++ SETCOLOR_WARNING='echo -en \033[.0;33m'
>> > > +++ SETCOLOR_NORMAL='echo -en \033[.0;39m'
>> > > +++ PROMPT=yes
>> > > +++ AUTOSWAP=no
>> > > +++ ACTIVE_CONSOLES='/dev/tty[1-6]'
>> > > +++ SINGLE=/sbin/sushell
>> > > ++ '[' pty = serial ']'
>> > > ++
>> > >
>> > __sed_discard_ignored_files='/$~\|\.bak\|\.orig\|\.rpmnew\|\.rpmorig\|\
>> > .rpmsave$$/d'
>> > > + RETVAL=0
>> > > + PIDFILE=/var/run/syslogd.pid
>> > > + prog=rsyslogd
>> > > + exec=/usr/sbin/rsyslogd
>> > > + lockfile=/var/lock/subsys/rsyslogd
>> > > + case "$1" in
>> > > + start
>> > > + '[' -x /usr/sbin/rsyslogd ']'
>> > > + '[' -f /etc/sysconfig/rsyslog ']'
>> > > + . /etc/sysconfig/rsyslog
>> > > ++ SYSLOGD_OPTIONS='-c 6'
>> > > + umask 077
>> > > + echo -n 'Starting system logger: '
>> > > Starting system logger: + daemon --pidfile=/var/run/syslogd.pid
>> > > /usr/sbin/rsyslogd -c 6
>> > > + local gotbase= force= nicelevel corelimit local pid base= user=
>> > > + nice= bg= pid_file= local cgroup=
>> > > + nicelevel=0
>> > > + '[' --pidfile=/var/run/syslogd.pid '!='
>> -pidfile=/var/run/syslogd.pid
>> ']'
>> > > + case $1 in
>> > > + pid_file=/var/run/syslogd.pid
>> > > + shift
>> > > + '[' /usr/sbin/rsyslogd '!=' /usr/sbin/rsyslogd ']'
>> > > + '[' -z '' ']'
>> > > + base=rsyslogd
>> > > + __pids_var_run rsyslogd /var/run/syslogd.pid local base=rsyslogd
>> > > + local pid_file=/var/run/syslogd.pid pid= '[' -f /var/run/syslogd.pid
>> > > + ']'
>> > > + return 3
>> > > + '[' -n '' -a -z '' ']'
>> > > + corelimit='ulimit -S -c 0'
>> > > + '[' -n '' ']'
>> > > + '[' -n '' ']'
>> > > + '[' color = verbose -a -z '' ']'
>> > > + '[' -z '' ']'
>> > > + /bin/bash -c 'ulimit -S -c 0 >/dev/null 2>&1 ; /usr/sbin/rsyslogd
>> -c 6'
>> > > ...
>> > > (hangs here for a long time)
>> > > ...
>> > > + '[' 1 -eq 0 ']'
>> > > + failure 'rsyslogd startup'
>> > > + local rc=1
>> > > + '[' color '!=' verbose -a -z '' ']'
>> > > + echo_failure
>> > > + '[' color = color ']'
>> > > + echo -en '\033[60G'
>> > > + echo -n
>> '['
>> > > [+ '[' color = color ']'
>> > > + echo -en '\033[.0;31m'
>> > > + echo -n FAILED
>> > > FAILED+ '[' color = color ']'
>> > > + echo -en '\033[0;39m'
>> > > + echo -n ']'
>> > > ]+ echo -ne '\r'
>> > > + return 1
>> > > + '[' -x /usr/bin/plymouth ']'
>> > > + /usr/bin/plymouth --details
>> > > + return 1
>> > > + RETVAL=1
>> > > + echo
>> > >
>> > > + '[' 1 -eq 0 ']'
>> > > + return 1
>> > > + exit 1
>> > >
>> > > I have tried to give 777-access to /var/run and /var/lock/subsys - but
>> > > same thing happens...
>> > >
>> > >
>> > >
>> > > Thanks in advance :-) !
>> > >
>> > > Br.
>> > > ~maymann
>> > >
>> > >
>> > >
>> > > 2012/2/2 Rainer Gerhards <rgerhards [at] hq>
>> > >
>> > >> I can only help you with that part if you point me to why exactly the
>> > >> script claims what it does. So you may want to try find someone who
>> > >> can do that.
>> > >> I
>> > >> know this is probably a trivial question, but I don't know anything
>> > >> ;)
>> > >>
>> > >> Sry, rainer
>> > >>
>> > >> > -----Original Message-----
>> > >> > From: rsyslog-bounces [at] lists [mailto:rsyslog-
>> > >> > bounces [at] lists] On Behalf Of Michael Maymann
>> > >> > Sent: Thursday, February 02, 2012 10:03 AM
>> > >> > To: rsyslog-users
>> > >> > Subject: Re: [rsyslog] rsyslog as non-root user
>> > >> >
>> > >> > Here is my startup script... only thing changed is the path to the
>> > >> > new 6.3.6-rsyslog-devel binary.
>> > >> > The startup-scripts works also perfectly when i comment out the
>> > >> > PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but failes if
>> > >> > PrivDropToUser+i
>> > >> > have
>> > >> > both or one of the entries...:
>> > >> > #!/bin/bash
>> > >> > #
>> > >> > # rsyslog Starts rsyslogd/rklogd.
>> > >> > #
>> > >> > #
>> > >> > # chkconfig: 2345 12 88
>> > >> > # description: Syslog is the facility by which many daemons use to
>> > >> > log \ # messages to various system log files. It is a good idea to
>> > >> > always \ # run rsyslog.
>> > >> > ### BEGIN INIT INFO
>> > >> > # Provides: $syslog
>> > >> > # Required-Start: $local_fs
>> > >> > # Required-Stop: $local_fs
>> > >> > # Default-Start: 2 3 4 5
>> > >> > # Default-Stop: 0 1 6
>> > >> > # Short-Description: Enhanced system logging and kernel message
>> > >> > trapping daemons # Description: Rsyslog is an enhanced
>> > >> > multi-threaded syslogd supporting,
>> > >> > # among others, MySQL, syslog/tcp, RFC 3195, permitted
>> > >> > # sender lists, filtering on any message part, and
>> fine
>> > >> > # grain output format control.
>> > >> > ### END INIT INFO
>> > >> >
>> > >> > # Source function library.
>> > >> > . /etc/init.d/functions
>> > >> >
>> > >> > RETVAL=0
>> > >> > PIDFILE=/var/run/syslogd.pid
>> > >> >
>> > >> > prog=rsyslogd
>> > >> > #exec=/sbin/rsyslogd
>> > >> > exec=/usr/sbin/rsyslogd
>> > >> > lockfile=/var/lock/subsys/$prog
>> > >> >
>> > >> > start() {
>> > >> > [ -x $exec ] || exit 5
>> > >> >
>> > >> > # Source config
>> > >> > if [ -f /etc/sysconfig/rsyslog ] ; then
>> > >> > . /etc/sysconfig/rsyslog
>> > >> > fi
>> > >> > umask 077
>> > >> >
>> > >> > echo -n $"Starting system logger: "
>> > >> > daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS
>> > >> > RETVAL=$?
>> > >> > echo
>> > >> > [ $RETVAL -eq 0 ] && touch $lockfile
>> > >> > return $RETVAL
>> > >> > }
>> > >> > stop() {
>> > >> > echo -n $"Shutting down system logger: "
>> > >> > killproc $prog
>> > >> > RETVAL=$?
>> > >> > echo
>> > >> > [ $RETVAL -eq 0 ] && rm -f $lockfile
>> > >> > return $RETVAL
>> > >> > }
>> > >> > reload() {
>> > >> > RETVAL=1
>> > >> > syslog=$(cat "${PIDFILE}" 2>/dev/null)
>> > >> > echo -n "Reloading system logger..."
>> > >> > if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then
>> > >> > kill -HUP "$syslog";
>> > >> > RETVAL=$?
>> > >> > fi
>> > >> > if [ $RETVAL -ne 0 ]; then
>> > >> > failure
>> > >> > else
>> > >> > success
>> > >> > fi
>> > >> > echo
>> > >> > return $RETVAL
>> > >> > }
>> > >> > rhstatus() {
>> > >> > status -p "${PIDFILE}" $prog }
>> > >> > restart() {
>> > >> > stop
>> > >> > start
>> > >> > }
>> > >> >
>> > >> > case "$1" in
>> > >> > start)
>> > >> > start
>> > >> > ;;
>> > >> > stop)
>> > >> > stop
>> > >> > ;;
>> > >> > restart)
>> > >> > restart
>> > >> > ;;
>> > >> > reload|force-reload)
>> > >> > reload
>> > >> > ;;
>> > >> > status)
>> > >> > rhstatus
>> > >> > ;;
>> > >> > condrestart|try-restart)
>> > >> > rhstatus >/dev/null 2>&1 || exit 0
>> > >> > restart
>> > >> > ;;
>> > >> > *)
>> > >> > echo $"Usage: $0
>> > >> > {start|stop|restart|condrestart|try-restart|reload|force-
>> > >> > reload|status}"
>> > >> > exit 2
>> > >> > esac
>> > >> >
>> > >> > exit $?
>> > >> >
>> > >> > 2012/2/2 Rainer Gerhards <rgerhards [at] hq>
>> > >> >
>> > >> > >
>> > >> > >
>> > >> > > > -----Original Message-----
>> > >> > > > From: rsyslog-bounces [at] lists [mailto:rsyslog-
>> > >> > > > bounces [at] lists] On Behalf Of Michael Maymann
>> > >> > > > Sent: Wednesday, February 01, 2012 9:08 AM
>> > >> > > > To: rsyslog-users
>> > >> > > > Subject: Re: [rsyslog] rsyslog as non-root user
>> > >> > > >
>> > >> > > > Hi,
>> > >> > > >
>> > >> > > > David: thanks - got it working with permission dropping, by far
>> > >> > > > my prefered configuration... just didn't know of it...:-) !
>> > >> > > > Rainer: please let us know if the debug info of the "permission
>> > >> > > > dropping:
>> > >> > > > hang+timeout" I send you can solve anything... anyway it works
>> > >> > > > hang+now
>> > >> > -
>> > >> > > > but
>> > >> > > > not optimal if other people have to service my setup...:-) !
>> > >> > >
>> > >> > > I have reviewed the debug log and I see nothing unexpected. From
>> > >> > > the timestamps I also see that there is no hang whatsoever. So it
>> > >> > > looks
>> > >> > like
>> > >> > > there is some problem with the startup script, which I don't
>> > >> > > know. I suggest to ask what the FAILED status is caused by. We
>> > >> > > can then look why this happens.
>> > >> > >
>> > >> > > Sorry I have no better answer...
>> > >> > > Rainer
>> > >> > >
>> > >> > > >
>> > >> > > > Thanks in advance :-) !
>> > >> > > > ~maymann
>> > >> > > >
>> > >> > > > 2012/2/1 <david [at] lang>
>> > >> > > >
>> > >> > > > > On Tue, 31 Jan 2012, Michael Maymann wrote:
>> > >> > > > >
>> > >> > > > > Hi,
>> > >> > > > >>
>> > >> > > > >> I have now setup a 6.3.6-devel rsyslog server that is
>> > >> > > > >> working
>> > >> > fine
>> > >> > > > running
>> > >> > > > >> as root.
>> > >> > > > >> I would like to run it as non-root user as my logfiles are
>> > >> > located
>> > >> > > > on NFS
>> > >> > > > >> (and root export of NFS is generally not a good idea !).
>> > >> > > > >>
>> > >> > > > >> Here is my rsyslog.conf:
>> > >> > > > >> #LOAD MODULES
>> > >> > > > >> $ModLoad imudp
>> > >> > > > >> $UDPServerRun 514
>> > >> > > > >> $UDPServerAddress 127.0.0.1
>> > >> > > > >> $ModLoad imtcp
>> > >> > > > >> $InputTCPServerRun 514
>> > >> > > > >> #SET DESTINATION FOR LOGS
>> > >> > > > >> $template
>> > >> > > > >>
>> > DYNmessages,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%
>> > **
>> > >> > > > >> $MONTH%_messages"
>> > >> > > > >> $template
>> > >> > > > >>
>> > >> > > >
>> > >> >
>> > DYNsecure,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
>> > $MONTH%_secure"
>> > >> > > > >> $template
>> > >> > > > >>
>> > >> > > >
>> > >> >
>> > DYNmaillog,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
>> > $MONTH%_ma
>> > >> > illo
>> > >> > > > g"
>> > >> > > > >> $template
>> > >> > > >
>> > DYNcron,"<PATH_TO>/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO
>> > NTH%_**
>> > >> > > > >> cron"
>> > >> > > > >> $template
>> > >> > > > >>
>> > >> > > >
>> > >> >
>> > DYNspooler,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
>> > $MONTH%_sp
>> > >> > oole
>> > >> > > > r"
>> > >> > > > >> $template
>> > >> > > > >>
>> > >> > > >
>> > >> >
>> > DYNboot,"<PATH_TO>/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO
>> > NTH%_**boot.log"
>> > >> > > > >> $template
>> > >> > > >
>> > DYNtraps,"<PATH_TO>/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO
>> > NTH%_**
>> > >> > > > >> traps"
>> > >> > > > >> #SET LOGGING CONDITIONS
>> > >> > > > >> if $syslogseverity <= '6' then ?DYNmessages if
>> > >> > > > >> $syslogfacility-text == 'authpriv' then ?DYNsecure if
>> > >> > > > >> $syslogfacility-text == 'mail' then ?DYNmaillog if
>> > >> > > > >> $syslogfacility-text == 'cron' then ?DYNcron if
>> > >> > > > >> $syslogseverity-text == 'crit' then ?DYNspooler if
>> > >> > > > >> $syslogfacility-text == 'local7' then ?DYNboot if
>> > >> > > > >> $syslogfacility-text == 'local6' and $syslogseverity-text ==
>> > >> > > > 'WARNING'
>> > >> > > > >> then ?DYNtraps
>> > >> > > > >>
>> > >> > > > >> Here is my logfile when I try to start rsyslog as a non-root
>> > >> > user:
>> > >> > > > >> 2012-01-31T15:45:52.997693+02:**00 <hostname> rsyslogd:
>> > >> > > > >> [origin software="rsyslogd" swVersion="6.3.6" x-pid="26185"
>> x-
>> > info="
>> > >> > > > >> http://www.rsyslog.com"] start
>> > >> > > > >> 2012-01-31T15:45:52.997294+02:**00 <hostname> rsyslogd:
>> bind:
>> > >> > > > Permission
>> > >> > > > >> denied
>> > >> > > > >> 2012-01-31T15:45:52.997369+02:**00 <hostname> rsyslogd:
>> bind:
>> > >> > > > Permission
>> > >> > > > >> denied
>> > >> > > > >> 2012-01-31T15:45:52.997374+02:**00 <hostname> rsyslogd: No
>> > >> > > > >> UDP
>> > >> > > > listen
>> > >> > > > >> socket
>> > >> > > > >> could successfully be initialized, message reception via UDP
>> > >> > > > disabled.
>> > >> > > > >> 2012-01-31T15:45:52.997376+02:**00 <hostname> rsyslogd:
>> > imudp:
>> > >> > no
>> > >> > > > >> listeners
>> > >> > > > >> could be started, input not activated.
>> > >> > > > >> 2012-01-31T15:45:52.997379+02:**00 <hostname> rsyslogd3:
>> > >> > activation
>> > >> > > > of
>> > >> > > > >> module
>> > >> > > > >> imudp failed [try http://www.rsyslog.com/e/-3 ]
>> > >> > > > >> 2012-01-31T15:45:52.997643+02:**00 <hostname> rsyslogd-2077:
>> > >> > Could
>> > >> > > > not
>> > >> > > > >> create
>> > >> > > > >> tcp listener, ignoring port 514. [try
>> > >> > http://www.rsyslog.com/e/2077
>> > >> > > > ]
>> > >> > > > >>
>> > >> > > > >> So permissions to bind and sockets seems to be the
>> problem...
>> > >> > > > >>
>> > >> > > > >
>> > >> > > > > yes, you cannot bind to ports <1024 as a normal user (without
>> > >> > making
>> > >> > > > some
>> > >> > > > > other non-standard changes through sysctl)
>> > >> > > > >
>> > >> > > > >
>> > >> > > > > 1. Is it possible to make rsyslog write logfiles as a
>> > >> > > > > non-root
>> > >> > user
>> > >> > > > - if
>> > >> > > > >> yes: how ?
>> > >> > > > >>
>> > >> > > > >
>> > >> > > > > permission drop features
>> > >> > > > >
>> > >> > > > >
>> > >> > > > > 2a. Is it possible to add permissions for non-root user to
>> > >> > > > > run
>> > >> > > > rsyslog
>> > >> > > > >> server - if yes: how ?
>> > >> > > > >>
>> > >> > > > >
>> > >> > > > > pick a listening port > 1024 and it should work.
>> > >> > > > >
>> > >> > > > >
>> > >> > > > > 2b. How do I start rsyslog during boot as non-root user -
>> > >> > > > > can
>> > >> > > > chkconfig do
>> > >> > > > >> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ?
>> > >> > > > >>
>> > >> > > > >
>> > >> > > > > su can run a command as a different user.
>> > >> > > > >
>> > >> > > > > although as Rainer points out, you may just be looking for
>> > >> > > > > the
>> > >> > > > permission
>> > >> > > > > dropping features that are already in rsyslog.
>> > >> > > > >
>> > >> > > > > David Lang
>> > >> > > > >
>> > >> > > > > ______________________________**_________________
>> > >> > > > > rsyslog mailing list
>> > >> > > > >
>> > >> > > >
>> > >> > http://lists.adiscon.net/**mailman/listinfo/rsyslog<
>> http://lists.ad
>> > >> > isco
>> > >> > > > n.net/mailman/listinfo/rsyslog>
>> > >> > > > > http://www.rsyslog.com/**professional-
>> > >> > > > services/<http://www.rsyslog.com/professional-services/>
>> > >> > > > >
>> > >> > > > _______________________________________________
>> > >> > > > rsyslog mailing list
>> > >> > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
>> > >> > > > http://www.rsyslog.com/professional-services/
>> > >> > > _______________________________________________
>> > >> > > rsyslog mailing list
>> > >> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
>> > >> > > http://www.rsyslog.com/professional-services/
>> > >> > >
>> > >> > _______________________________________________
>> > >> > rsyslog mailing list
>> > >> > http://lists.adiscon.net/mailman/listinfo/rsyslog
>> > >> > http://www.rsyslog.com/professional-services/
>> > >> _______________________________________________
>> > >> rsyslog mailing list
>> > >> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> > >> http://www.rsyslog.com/professional-services/
>> > >>
>> > >
>> > >
>> > _______________________________________________
>> > rsyslog mailing list
>> > http://lists.adiscon.net/mailman/listinfo/rsyslog
>> > http://www.rsyslog.com/professional-services/
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>>
>
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

rgerhards at hq

Feb 2, 2012, 6:12 AM

Post #15 of 37 (428 views)
Permalink

Re: rsyslog as non-root user [In reply to]

Closed as invalid, you need to talkt o your distro... (see tracker)

> -----Original Message-----
> From: rsyslog-bounces [at] lists [mailto:rsyslog-
> bounces [at] lists] On Behalf Of Michael Maymann
> Sent: Thursday, February 02, 2012 3:11 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] rsyslog as non-root user
>
> bugreport created...
> http://bugzilla.adiscon.com/show_bug.cgi?id=306
>
> Br.
> ~maymann
>
> 2012/2/2 Michael Maymann <michael [at] maymann>
>
> > Anyone...?
> >
> >
> > 2012/2/2 Rainer Gerhards <rgerhards [at] hq>
> >
> >>
> >>
> >> > -----Original Message-----
> >> > From: rsyslog-bounces [at] lists [mailto:rsyslog-
> >> > bounces [at] lists] On Behalf Of Michael Maymann
> >> > Sent: Thursday, February 02, 2012 2:29 PM
> >> > To: rsyslog-users
> >> > Subject: Re: [rsyslog] rsyslog as non-root user
> >> >
> >> > Hi Rainer,
> >> >
> >> > I really have my doubts it has something to do with my startup script:
> >> > 1. I only changed the exec=/usr/sbin/rsyslogd from default 2. It
> >> > works perfectly when PrivDropTo is not used in rsyslog.conf.
> >> >
> >> > I'm running on RHEL6.1_x64.
> >> > Do you have a working /etc/init.d/rsyslog what you can share/I can
> >> test...?
> >>
> >> No
> >>
> >> rg
> >> >
> >> >
> >> > Thanks in advance :-) !
> >> > ~maymann
> >> >
> >> > 2012/2/2 Michael Maymann <michael [at] maymann>
> >> >
> >> > > Hi,
> >> > >
> >> > > Rainer: Sorry... forgot to mention that it doesn't say anything
> >> > > about failing in the logs... and it actually doesn't fail... it
> >> > > works and after the timeout+failed notice only the proccess owned
> >> > > by PrivDropToUser-USER is present, but now owned by the
> >> > > init-proccess
> >> > (mother proccess dies):
> >> > >
> >> > > # service rsyslog start
> >> > > Starting system logger: [FAILED]
> >> > >
> >> > > BEFORE failed status:
> >> > > root 9126 9125 0 11:07 pts/1 00:00:00 /usr/sbin/rsyslogd
-c
> >> 6
> >> > > <PrivDropToUser-USER> 9131 9126 0 11:07 ? 00:00:00
> >> > > /usr/sbin/rsyslogd -c 6
> >> > >
> >> > > AFTER failed status root-owned proccess is killed and
> >> > > PrivDropToUser-USER owned proccess is therefore gets owned by
> init:
> >> > > <PrivDropToUser-USER> 9131 1 0 11:07 ? 00:00:00
> >> > > /usr/sbin/rsyslogd -c 6
> >> > >
> >> > > Anyone who can help with this...?:
> >> > > here is the debug output when starting running the init-script:
> >> > > #/etc/init.d/rsyslog start
> >> > > + . /etc/init.d/functions
> >> > > ++ TEXTDOMAIN=initscripts
> >> > > ++ umask 022
> >> > > ++ PATH=/sbin:/usr/sbin:/bin:/usr/bin
> >> > > ++ export PATH
> >> > > ++ '[' -z '' ']'
> >> > > ++ COLUMNS=80
> >> > > ++ '[' -z '' ']'
> >> > > +++ /sbin/consoletype
> >> > > ++ CONSOLETYPE=pty
> >> > > ++ '[' -f /etc/sysconfig/i18n -a -z '' -a -z '' ']'
> >> > > ++ . /etc/profile.d/lang.sh
> >> > > ++ unset LANGSH_SOURCED
> >> > > ++ '[' -z '' ']'
> >> > > ++ '[' -f /etc/sysconfig/init ']'
> >> > > ++ . /etc/sysconfig/init
> >> > > +++ BOOTUP=color
> >> > > +++ RES_COL=60
> >> > > +++ MOVE_TO_COL='echo -en \033[.60G'
> >> > > +++ SETCOLOR_SUCCESS='echo -en \033[.0;32m'
> >> > > +++ SETCOLOR_FAILURE='echo -en \033[.0;31m'
> >> > > +++ SETCOLOR_WARNING='echo -en \033[.0;33m'
> >> > > +++ SETCOLOR_NORMAL='echo -en \033[.0;39m'
> >> > > +++ PROMPT=yes
> >> > > +++ AUTOSWAP=no
> >> > > +++ ACTIVE_CONSOLES='/dev/tty[1-6]'
> >> > > +++ SINGLE=/sbin/sushell
> >> > > ++ '[' pty = serial ']'
> >> > > ++
> >> > >
> >> > __sed_discard_ignored_files='/$~\|\.bak\|\.orig\|\.rpmnew\|\.rpmor
> >> > ig\|\
> >> > .rpmsave$$/d'
> >> > > + RETVAL=0
> >> > > + PIDFILE=/var/run/syslogd.pid
> >> > > + prog=rsyslogd
> >> > > + exec=/usr/sbin/rsyslogd
> >> > > + lockfile=/var/lock/subsys/rsyslogd
> >> > > + case "$1" in
> >> > > + start
> >> > > + '[' -x /usr/sbin/rsyslogd ']'
> >> > > + '[' -f /etc/sysconfig/rsyslog ']'
> >> > > + . /etc/sysconfig/rsyslog
> >> > > ++ SYSLOGD_OPTIONS='-c 6'
> >> > > + umask 077
> >> > > + echo -n 'Starting system logger: '
> >> > > Starting system logger: + daemon --pidfile=/var/run/syslogd.pid
> >> > > /usr/sbin/rsyslogd -c 6
> >> > > + local gotbase= force= nicelevel corelimit local pid base= user=
> >> > > + nice= bg= pid_file= local cgroup=
> >> > > + nicelevel=0
> >> > > + '[' --pidfile=/var/run/syslogd.pid '!='
> >> -pidfile=/var/run/syslogd.pid
> >> ']'
> >> > > + case $1 in
> >> > > + pid_file=/var/run/syslogd.pid
> >> > > + shift
> >> > > + '[' /usr/sbin/rsyslogd '!=' /usr/sbin/rsyslogd ']'
> >> > > + '[' -z '' ']'
> >> > > + base=rsyslogd
> >> > > + __pids_var_run rsyslogd /var/run/syslogd.pid local
> >> > > + base=rsyslogd local pid_file=/var/run/syslogd.pid pid= '[' -f
> >> > > + /var/run/syslogd.pid ']'
> >> > > + return 3
> >> > > + '[' -n '' -a -z '' ']'
> >> > > + corelimit='ulimit -S -c 0'
> >> > > + '[' -n '' ']'
> >> > > + '[' -n '' ']'
> >> > > + '[' color = verbose -a -z '' ']'
> >> > > + '[' -z '' ']'
> >> > > + /bin/bash -c 'ulimit -S -c 0 >/dev/null 2>&1 ;
> >> > > + /usr/sbin/rsyslogd
> >> -c 6'
> >> > > ...
> >> > > (hangs here for a long time)
> >> > > ...
> >> > > + '[' 1 -eq 0 ']'
> >> > > + failure 'rsyslogd startup'
> >> > > + local rc=1
> >> > > + '[' color '!=' verbose -a -z '' ']'
> >> > > + echo_failure
> >> > > + '[' color = color ']'
> >> > > + echo -en '\033[.60G'
> >> > > + echo
> >> > > -n
> >> '['
> >> > > [+ '[' color = color ']'
> >> > > + echo -en '\033[.0;31m'
> >> > > + echo -n FAILED
> >> > > FAILED+ '[' color = color ']'
> >> > > + echo -en '\033[0;39m'
> >> > > + echo -n ']'
> >> > > ]+ echo -ne '\r'
> >> > > + return 1
> >> > > + '[' -x /usr/bin/plymouth ']'
> >> > > + /usr/bin/plymouth --details
> >> > > + return 1
> >> > > + RETVAL=1
> >> > > + echo
> >> > >
> >> > > + '[' 1 -eq 0 ']'
> >> > > + return 1
> >> > > + exit 1
> >> > >
> >> > > I have tried to give 777-access to /var/run and /var/lock/subsys
> >> > > - but same thing happens...
> >> > >
> >> > >
> >> > >
> >> > > Thanks in advance :-) !
> >> > >
> >> > > Br.
> >> > > ~maymann
> >> > >
> >> > >
> >> > >
> >> > > 2012/2/2 Rainer Gerhards <rgerhards [at] hq>
> >> > >
> >> > >> I can only help you with that part if you point me to why
> >> > >> exactly the script claims what it does. So you may want to try
> >> > >> find someone who can do that.
> >> > >> I
> >> > >> know this is probably a trivial question, but I don't know
> >> > >> anything
> >> > >> ;)
> >> > >>
> >> > >> Sry, rainer
> >> > >>
> >> > >> > -----Original Message-----
> >> > >> > From: rsyslog-bounces [at] lists [mailto:rsyslog-
> >> > >> > bounces [at] lists] On Behalf Of Michael Maymann
> >> > >> > Sent: Thursday, February 02, 2012 10:03 AM
> >> > >> > To: rsyslog-users
> >> > >> > Subject: Re: [rsyslog] rsyslog as non-root user
> >> > >> >
> >> > >> > Here is my startup script... only thing changed is the path to
> >> > >> > the new 6.3.6-rsyslog-devel binary.
> >> > >> > The startup-scripts works also perfectly when i comment out
> >> > >> > the
> >> > >> > PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but
> >> > >> > PrivDropToUser+failes if i
> >> > >> > have
> >> > >> > both or one of the entries...:
> >> > >> > #!/bin/bash
> >> > >> > #
> >> > >> > # rsyslog Starts rsyslogd/rklogd.
> >> > >> > #
> >> > >> > #
> >> > >> > # chkconfig: 2345 12 88
> >> > >> > # description: Syslog is the facility by which many daemons
> >> > >> > use to log \ # messages to various system log files. It is a
> >> > >> > good idea to always \ # run rsyslog.
> >> > >> > ### BEGIN INIT INFO
> >> > >> > # Provides: $syslog
> >> > >> > # Required-Start: $local_fs
> >> > >> > # Required-Stop: $local_fs
> >> > >> > # Default-Start: 2 3 4 5
> >> > >> > # Default-Stop: 0 1 6
> >> > >> > # Short-Description: Enhanced system logging and kernel
> >> > >> > message trapping daemons # Description: Rsyslog is an enhanced
> >> > >> > multi-threaded syslogd supporting,
> >> > >> > # among others, MySQL, syslog/tcp, RFC 3195,
permitted
> >> > >> > # sender lists, filtering on any message part, and
> >> fine
> >> > >> > # grain output format control.
> >> > >> > ### END INIT INFO
> >> > >> >
> >> > >> > # Source function library.
> >> > >> > . /etc/init.d/functions
> >> > >> >
> >> > >> > RETVAL=0
> >> > >> > PIDFILE=/var/run/syslogd.pid
> >> > >> >
> >> > >> > prog=rsyslogd
> >> > >> > #exec=/sbin/rsyslogd
> >> > >> > exec=/usr/sbin/rsyslogd
> >> > >> > lockfile=/var/lock/subsys/$prog
> >> > >> >
> >> > >> > start() {
> >> > >> > [ -x $exec ] || exit 5
> >> > >> >
> >> > >> > # Source config
> >> > >> > if [ -f /etc/sysconfig/rsyslog ] ; then
> >> > >> > . /etc/sysconfig/rsyslog
> >> > >> > fi
> >> > >> > umask 077
> >> > >> >
> >> > >> > echo -n $"Starting system logger: "
> >> > >> > daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS
> >> > >> > RETVAL=$?
> >> > >> > echo
> >> > >> > [ $RETVAL -eq 0 ] && touch $lockfile
> >> > >> > return $RETVAL
> >> > >> > }
> >> > >> > stop() {
> >> > >> > echo -n $"Shutting down system logger: "
> >> > >> > killproc $prog
> >> > >> > RETVAL=$?
> >> > >> > echo
> >> > >> > [ $RETVAL -eq 0 ] && rm -f $lockfile
> >> > >> > return $RETVAL
> >> > >> > }
> >> > >> > reload() {
> >> > >> > RETVAL=1
> >> > >> > syslog=$(cat "${PIDFILE}" 2>/dev/null)
> >> > >> > echo -n "Reloading system logger..."
> >> > >> > if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then
> >> > >> > kill -HUP "$syslog";
> >> > >> > RETVAL=$?
> >> > >> > fi
> >> > >> > if [ $RETVAL -ne 0 ]; then
> >> > >> > failure
> >> > >> > else
> >> > >> > success
> >> > >> > fi
> >> > >> > echo
> >> > >> > return $RETVAL
> >> > >> > }
> >> > >> > rhstatus() {
> >> > >> > status -p "${PIDFILE}" $prog }
> >> > >> > restart() {
> >> > >> > stop
> >> > >> > start
> >> > >> > }
> >> > >> >
> >> > >> > case "$1" in
> >> > >> > start)
> >> > >> > start
> >> > >> > ;;
> >> > >> > stop)
> >> > >> > stop
> >> > >> > ;;
> >> > >> > restart)
> >> > >> > restart
> >> > >> > ;;
> >> > >> > reload|force-reload)
> >> > >> > reload
> >> > >> > ;;
> >> > >> > status)
> >> > >> > rhstatus
> >> > >> > ;;
> >> > >> > condrestart|try-restart)
> >> > >> > rhstatus >/dev/null 2>&1 || exit 0
> >> > >> > restart
> >> > >> > ;;
> >> > >> > *)
> >> > >> > echo $"Usage: $0
> >> > >> > {start|stop|restart|condrestart|try-restart|reload|force-
> >> > >> > reload|status}"
> >> > >> > exit 2
> >> > >> > esac
> >> > >> >
> >> > >> > exit $?
> >> > >> >
> >> > >> > 2012/2/2 Rainer Gerhards <rgerhards [at] hq>
> >> > >> >
> >> > >> > >
> >> > >> > >
> >> > >> > > > -----Original Message-----
> >> > >> > > > From: rsyslog-bounces [at] lists [mailto:rsyslog-
> >> > >> > > > bounces [at] lists] On Behalf Of Michael Maymann
> >> > >> > > > Sent: Wednesday, February 01, 2012 9:08 AM
> >> > >> > > > To: rsyslog-users
> >> > >> > > > Subject: Re: [rsyslog] rsyslog as non-root user
> >> > >> > > >
> >> > >> > > > Hi,
> >> > >> > > >
> >> > >> > > > David: thanks - got it working with permission dropping,
> >> > >> > > > by far my prefered configuration... just didn't know of
it...:-) !
> >> > >> > > > Rainer: please let us know if the debug info of the
> >> > >> > > > "permission
> >> > >> > > > dropping:
> >> > >> > > > hang+timeout" I send you can solve anything... anyway it
> >> > >> > > > hang+works now
> >> > >> > -
> >> > >> > > > but
> >> > >> > > > not optimal if other people have to service my setup...:-) !
> >> > >> > >
> >> > >> > > I have reviewed the debug log and I see nothing unexpected.
> >> > >> > > From the timestamps I also see that there is no hang
> >> > >> > > whatsoever. So it looks
> >> > >> > like
> >> > >> > > there is some problem with the startup script, which I don't
> >> > >> > > know. I suggest to ask what the FAILED status is caused by.
> >> > >> > > We can then look why this happens.
> >> > >> > >
> >> > >> > > Sorry I have no better answer...
> >> > >> > > Rainer
> >> > >> > >
> >> > >> > > >
> >> > >> > > > Thanks in advance :-) !
> >> > >> > > > ~maymann
> >> > >> > > >
> >> > >> > > > 2012/2/1 <david [at] lang>
> >> > >> > > >
> >> > >> > > > > On Tue, 31 Jan 2012, Michael Maymann wrote:
> >> > >> > > > >
> >> > >> > > > > Hi,
> >> > >> > > > >>
> >> > >> > > > >> I have now setup a 6.3.6-devel rsyslog server that is
> >> > >> > > > >> working
> >> > >> > fine
> >> > >> > > > running
> >> > >> > > > >> as root.
> >> > >> > > > >> I would like to run it as non-root user as my logfiles
> >> > >> > > > >> are
> >> > >> > located
> >> > >> > > > on NFS
> >> > >> > > > >> (and root export of NFS is generally not a good idea !).
> >> > >> > > > >>
> >> > >> > > > >> Here is my rsyslog.conf:
> >> > >> > > > >> #LOAD MODULES
> >> > >> > > > >> $ModLoad imudp
> >> > >> > > > >> $UDPServerRun 514
> >> > >> > > > >> $UDPServerAddress 127.0.0.1 $ModLoad imtcp
> >> > >> > > > >> $InputTCPServerRun 514 #SET DESTINATION FOR LOGS
> >> > >> > > > >> $template
> >> > >> > > > >>
> >> >
> DYNmessages,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%
> >> > **
> >> > >> > > > >> $MONTH%_messages"
> >> > >> > > > >> $template
> >> > >> > > > >>
> >> > >> > > >
> >> > >> >
> >> >
> DYNsecure,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
> >> > $MONTH%_secure"
> >> > >> > > > >> $template
> >> > >> > > > >>
> >> > >> > > >
> >> > >> >
> >> >
> DYNmaillog,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
> >> > $MONTH%_ma
> >> > >> > illo
> >> > >> > > > g"
> >> > >> > > > >> $template
> >> > >> > > >
> >> >
> DYNcron,"<PATH_TO>/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO
> >> > NTH%_**
> >> > >> > > > >> cron"
> >> > >> > > > >> $template
> >> > >> > > > >>
> >> > >> > > >
> >> > >> >
> >> >
> DYNspooler,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
> >> > $MONTH%_sp
> >> > >> > oole
> >> > >> > > > r"
> >> > >> > > > >> $template
> >> > >> > > > >>
> >> > >> > > >
> >> > >> >
> >> >
> DYNboot,"<PATH_TO>/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO
> >> > NTH%_**boot.log"
> >> > >> > > > >> $template
> >> > >> > > >
> >> >
> DYNtraps,"<PATH_TO>/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO
> >> > NTH%_**
> >> > >> > > > >> traps"
> >> > >> > > > >> #SET LOGGING CONDITIONS if $syslogseverity <= '6' then
> >> > >> > > > >> ?DYNmessages if $syslogfacility-text == 'authpriv' then
> >> > >> > > > >> ?DYNsecure if $syslogfacility-text == 'mail' then
> >> > >> > > > >> ?DYNmaillog if $syslogfacility-text == 'cron' then
> >> > >> > > > >> ?DYNcron if $syslogseverity-text == 'crit' then
> >> > >> > > > >> ?DYNspooler if $syslogfacility-text == 'local7' then
> >> > >> > > > >> ?DYNboot if $syslogfacility-text == 'local6' and
> >> > >> > > > >> $syslogseverity-text ==
> >> > >> > > > 'WARNING'
> >> > >> > > > >> then ?DYNtraps
> >> > >> > > > >>
> >> > >> > > > >> Here is my logfile when I try to start rsyslog as a
> >> > >> > > > >> non-root
> >> > >> > user:
> >> > >> > > > >> 2012-01-31T15:45:52.997693+02:**00 <hostname> rsyslogd:
> >> > >> > > > >> [origin software="rsyslogd" swVersion="6.3.6" x-
> pid="26185"
> >> x-
> >> > info="
> >> > >> > > > >> http://www.rsyslog.com"] start
> >> > >> > > > >> 2012-01-31T15:45:52.997294+02:**00 <hostname> rsyslogd:
> >> bind:
> >> > >> > > > Permission
> >> > >> > > > >> denied
> >> > >> > > > >> 2012-01-31T15:45:52.997369+02:**00 <hostname> rsyslogd:
> >> bind:
> >> > >> > > > Permission
> >> > >> > > > >> denied
> >> > >> > > > >> 2012-01-31T15:45:52.997374+02:**00 <hostname> rsyslogd:
> >> > >> > > > >> No UDP
> >> > >> > > > listen
> >> > >> > > > >> socket
> >> > >> > > > >> could successfully be initialized, message reception
> >> > >> > > > >> via UDP
> >> > >> > > > disabled.
> >> > >> > > > >> 2012-01-31T15:45:52.997376+02:**00 <hostname> rsyslogd:
> >> > imudp:
> >> > >> > no
> >> > >> > > > >> listeners
> >> > >> > > > >> could be started, input not activated.
> >> > >> > > > >> 2012-01-31T15:45:52.997379+02:**00 <hostname>
> rsyslogd3:
> >> > >> > activation
> >> > >> > > > of
> >> > >> > > > >> module
> >> > >> > > > >> imudp failed [try http://www.rsyslog.com/e/-3 ]
> >> > >> > > > >> 2012-01-31T15:45:52.997643+02:**00 <hostname> rsyslogd-
> 2077:
> >> > >> > Could
> >> > >> > > > not
> >> > >> > > > >> create
> >> > >> > > > >> tcp listener, ignoring port 514. [try
> >> > >> > http://www.rsyslog.com/e/2077
> >> > >> > > > ]
> >> > >> > > > >>
> >> > >> > > > >> So permissions to bind and sockets seems to be the
> >> problem...
> >> > >> > > > >>
> >> > >> > > > >
> >> > >> > > > > yes, you cannot bind to ports <1024 as a normal user
> >> > >> > > > > (without
> >> > >> > making
> >> > >> > > > some
> >> > >> > > > > other non-standard changes through sysctl)
> >> > >> > > > >
> >> > >> > > > >
> >> > >> > > > > 1. Is it possible to make rsyslog write logfiles as a
> >> > >> > > > > non-root
> >> > >> > user
> >> > >> > > > - if
> >> > >> > > > >> yes: how ?
> >> > >> > > > >>
> >> > >> > > > >
> >> > >> > > > > permission drop features
> >> > >> > > > >
> >> > >> > > > >
> >> > >> > > > > 2a. Is it possible to add permissions for non-root user
> >> > >> > > > > to run
> >> > >> > > > rsyslog
> >> > >> > > > >> server - if yes: how ?
> >> > >> > > > >>
> >> > >> > > > >
> >> > >> > > > > pick a listening port > 1024 and it should work.
> >> > >> > > > >
> >> > >> > > > >
> >> > >> > > > > 2b. How do I start rsyslog during boot as non-root user
> >> > >> > > > > - can
> >> > >> > > > chkconfig do
> >> > >> > > > >> this ? do I need to edit /etc/init.d/rsyslog - if yes: how
?
> >> > >> > > > >>
> >> > >> > > > >
> >> > >> > > > > su can run a command as a different user.
> >> > >> > > > >
> >> > >> > > > > although as Rainer points out, you may just be looking
> >> > >> > > > > for the
> >> > >> > > > permission
> >> > >> > > > > dropping features that are already in rsyslog.
> >> > >> > > > >
> >> > >> > > > > David Lang
> >> > >> > > > >
> >> > >> > > > >
> ______________________________**_________________
> >> > >> > > > > rsyslog mailing list
> >> > >> > > > >
> >> > >> > > >
> >> > >> > http://lists.adiscon.net/**mailman/listinfo/rsyslog<
> >> http://lists.ad
> >> > >> > isco
> >> > >> > > > n.net/mailman/listinfo/rsyslog>
> >> > >> > > > > http://www.rsyslog.com/**professional-
> >> > >> > > > services/<http://www.rsyslog.com/professional-services/>
> >> > >> > > > >
> >> > >> > > > _______________________________________________
> >> > >> > > > rsyslog mailing list
> >> > >> > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> > >> > > > http://www.rsyslog.com/professional-services/
> >> > >> > > _______________________________________________
> >> > >> > > rsyslog mailing list
> >> > >> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> > >> > > http://www.rsyslog.com/professional-services/
> >> > >> > >
> >> > >> > _______________________________________________
> >> > >> > rsyslog mailing list
> >> > >> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> > >> > http://www.rsyslog.com/professional-services/
> >> > >> _______________________________________________
> >> > >> rsyslog mailing list
> >> > >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> > >> http://www.rsyslog.com/professional-services/
> >> > >>
> >> > >
> >> > >
> >> > _______________________________________________
> >> > rsyslog mailing list
> >> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> > http://www.rsyslog.com/professional-services/
> >> _______________________________________________
> >> rsyslog mailing list
> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com/professional-services/
> >>
> >
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

david at lang

Feb 2, 2012, 10:19 AM

Post #16 of 37 (426 views)
Permalink

Re: rsyslog as non-root user [In reply to]

On Thu, 2 Feb 2012, Michael Maymann wrote:

> Hi Rainer,
>
> I really have my doubts it has something to do with my startup script:
> 1. I only changed the exec=/usr/sbin/rsyslogd from default
> 2. It works perfectly when PrivDropTo is not used in rsyslog.conf.
>
> I'm running on RHEL6.1_x64.
> Do you have a working /etc/init.d/rsyslog what you can share/I can test...?

my guess is that this is a SELINUX related problem.

what happens if you try to start rsyslog manually (not by running the
startup script, but just running 'rsyslogd -c 6' "

David Lang

>
> Thanks in advance :-) !
> ~maymann
>
> 2012/2/2 Michael Maymann <michael [at] maymann>
>
>> Hi,
>>
>> Rainer: Sorry... forgot to mention that it doesn't say anything about
>> failing in the logs... and it actually doesn't fail... it works and after
>> the timeout+failed notice only the proccess owned by PrivDropToUser-USER is
>> present, but now owned by the init-proccess (mother proccess dies):
>>
>> # service rsyslog start
>> Starting system logger: [FAILED]
>>
>> BEFORE failed status:
>> root 9126 9125 0 11:07 pts/1 00:00:00 /usr/sbin/rsyslogd -c 6
>> <PrivDropToUser-USER> 9131 9126 0 11:07 ? 00:00:00
>> /usr/sbin/rsyslogd -c 6
>>
>> AFTER failed status root-owned proccess is killed and PrivDropToUser-USER
>> owned proccess is therefore gets owned by init:
>> <PrivDropToUser-USER> 9131 1 0 11:07 ? 00:00:00
>> /usr/sbin/rsyslogd -c 6
>>
>> Anyone who can help with this...?:
>> here is the debug output when starting running the init-script:
>> #/etc/init.d/rsyslog start
>> + . /etc/init.d/functions
>> ++ TEXTDOMAIN=initscripts
>> ++ umask 022
>> ++ PATH=/sbin:/usr/sbin:/bin:/usr/bin
>> ++ export PATH
>> ++ '[' -z '' ']'
>> ++ COLUMNS=80
>> ++ '[' -z '' ']'
>> +++ /sbin/consoletype
>> ++ CONSOLETYPE=pty
>> ++ '[' -f /etc/sysconfig/i18n -a -z '' -a -z '' ']'
>> ++ . /etc/profile.d/lang.sh
>> ++ unset LANGSH_SOURCED
>> ++ '[' -z '' ']'
>> ++ '[' -f /etc/sysconfig/init ']'
>> ++ . /etc/sysconfig/init
>> +++ BOOTUP=color
>> +++ RES_COL=60
>> +++ MOVE_TO_COL='echo -en \033[.60G'
>> +++ SETCOLOR_SUCCESS='echo -en \033[.0;32m'
>> +++ SETCOLOR_FAILURE='echo -en \033[.0;31m'
>> +++ SETCOLOR_WARNING='echo -en \033[.0;33m'
>> +++ SETCOLOR_NORMAL='echo -en \033[0;39m'
>> +++ PROMPT=yes
>> +++ AUTOSWAP=no
>> +++ ACTIVE_CONSOLES='/dev/tty[1-6]'
>> +++ SINGLE=/sbin/sushell
>> ++ '[' pty = serial ']'
>> ++
>> __sed_discard_ignored_files='/$~\|\.bak\|\.orig\|\.rpmnew\|\.rpmorig\|\.rpmsave$$/d'
>> + RETVAL=0
>> + PIDFILE=/var/run/syslogd.pid
>> + prog=rsyslogd
>> + exec=/usr/sbin/rsyslogd
>> + lockfile=/var/lock/subsys/rsyslogd
>> + case "$1" in
>> + start
>> + '[' -x /usr/sbin/rsyslogd ']'
>> + '[' -f /etc/sysconfig/rsyslog ']'
>> + . /etc/sysconfig/rsyslog
>> ++ SYSLOGD_OPTIONS='-c 6'
>> + umask 077
>> + echo -n 'Starting system logger: '
>> Starting system logger: + daemon --pidfile=/var/run/syslogd.pid
>> /usr/sbin/rsyslogd -c 6
>> + local gotbase= force= nicelevel corelimit
>> + local pid base= user= nice= bg= pid_file=
>> + local cgroup=
>> + nicelevel=0
>> + '[' --pidfile=/var/run/syslogd.pid '!=' -pidfile=/var/run/syslogd.pid ']'
>> + case $1 in
>> + pid_file=/var/run/syslogd.pid
>> + shift
>> + '[' /usr/sbin/rsyslogd '!=' /usr/sbin/rsyslogd ']'
>> + '[' -z '' ']'
>> + base=rsyslogd
>> + __pids_var_run rsyslogd /var/run/syslogd.pid
>> + local base=rsyslogd
>> + local pid_file=/var/run/syslogd.pid
>> + pid=
>> + '[' -f /var/run/syslogd.pid ']'
>> + return 3
>> + '[' -n '' -a -z '' ']'
>> + corelimit='ulimit -S -c 0'
>> + '[' -n '' ']'
>> + '[' -n '' ']'
>> + '[' color = verbose -a -z '' ']'
>> + '[' -z '' ']'
>> + /bin/bash -c 'ulimit -S -c 0 >/dev/null 2>&1 ; /usr/sbin/rsyslogd -c 6'
>> ...
>> (hangs here for a long time)
>> ...
>> + '[' 1 -eq 0 ']'
>> + failure 'rsyslogd startup'
>> + local rc=1
>> + '[' color '!=' verbose -a -z '' ']'
>> + echo_failure
>> + '[' color = color ']'
>> + echo -en '\033[.60G'
>> + echo -n '['
>> [+ '[' color = color ']'
>> + echo -en '\033[.0;31m'
>> + echo -n FAILED
>> FAILED+ '[' color = color ']'
>> + echo -en '\033[0;39m'
>> + echo -n ']'
>> ]+ echo -ne '\r'
>> + return 1
>> + '[' -x /usr/bin/plymouth ']'
>> + /usr/bin/plymouth --details
>> + return 1
>> + RETVAL=1
>> + echo
>>
>> + '[' 1 -eq 0 ']'
>> + return 1
>> + exit 1
>>
>> I have tried to give 777-access to /var/run and /var/lock/subsys - but
>> same thing happens...
>>
>>
>>
>> Thanks in advance :-) !
>>
>> Br.
>> ~maymann
>>
>>
>>
>> 2012/2/2 Rainer Gerhards <rgerhards [at] hq>
>>
>>> I can only help you with that part if you point me to why exactly the
>>> script
>>> claims what it does. So you may want to try find someone who can do that.
>>> I
>>> know this is probably a trivial question, but I don't know anything ;)
>>>
>>> Sry, rainer
>>>
>>>> -----Original Message-----
>>>> From: rsyslog-bounces [at] lists [mailto:rsyslog-
>>>> bounces [at] lists] On Behalf Of Michael Maymann
>>>> Sent: Thursday, February 02, 2012 10:03 AM
>>>> To: rsyslog-users
>>>> Subject: Re: [rsyslog] rsyslog as non-root user
>>>>
>>>> Here is my startup script... only thing changed is the path to the new
>>>> 6.3.6-rsyslog-devel binary.
>>>> The startup-scripts works also perfectly when i comment out the
>>>> PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but failes if i
>>>> have
>>>> both or one of the entries...:
>>>> #!/bin/bash
>>>> #
>>>> # rsyslog Starts rsyslogd/rklogd.
>>>> #
>>>> #
>>>> # chkconfig: 2345 12 88
>>>> # description: Syslog is the facility by which many daemons use to log
>>>> \
>>>> # messages to various system log files. It is a good idea to always \
>>>> # run rsyslog.
>>>> ### BEGIN INIT INFO
>>>> # Provides: $syslog
>>>> # Required-Start: $local_fs
>>>> # Required-Stop: $local_fs
>>>> # Default-Start: 2 3 4 5
>>>> # Default-Stop: 0 1 6
>>>> # Short-Description: Enhanced system logging and kernel message
>>>> trapping
>>>> daemons
>>>> # Description: Rsyslog is an enhanced multi-threaded syslogd
>>>> supporting,
>>>> # among others, MySQL, syslog/tcp, RFC 3195, permitted
>>>> # sender lists, filtering on any message part, and fine
>>>> # grain output format control.
>>>> ### END INIT INFO
>>>>
>>>> # Source function library.
>>>> . /etc/init.d/functions
>>>>
>>>> RETVAL=0
>>>> PIDFILE=/var/run/syslogd.pid
>>>>
>>>> prog=rsyslogd
>>>> #exec=/sbin/rsyslogd
>>>> exec=/usr/sbin/rsyslogd
>>>> lockfile=/var/lock/subsys/$prog
>>>>
>>>> start() {
>>>> [ -x $exec ] || exit 5
>>>>
>>>> # Source config
>>>> if [ -f /etc/sysconfig/rsyslog ] ; then
>>>> . /etc/sysconfig/rsyslog
>>>> fi
>>>> umask 077
>>>>
>>>> echo -n $"Starting system logger: "
>>>> daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS
>>>> RETVAL=$?
>>>> echo
>>>> [ $RETVAL -eq 0 ] && touch $lockfile
>>>> return $RETVAL
>>>> }
>>>> stop() {
>>>> echo -n $"Shutting down system logger: "
>>>> killproc $prog
>>>> RETVAL=$?
>>>> echo
>>>> [ $RETVAL -eq 0 ] && rm -f $lockfile
>>>> return $RETVAL
>>>> }
>>>> reload() {
>>>> RETVAL=1
>>>> syslog=$(cat "${PIDFILE}" 2>/dev/null)
>>>> echo -n "Reloading system logger..."
>>>> if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then
>>>> kill -HUP "$syslog";
>>>> RETVAL=$?
>>>> fi
>>>> if [ $RETVAL -ne 0 ]; then
>>>> failure
>>>> else
>>>> success
>>>> fi
>>>> echo
>>>> return $RETVAL
>>>> }
>>>> rhstatus() {
>>>> status -p "${PIDFILE}" $prog
>>>> }
>>>> restart() {
>>>> stop
>>>> start
>>>> }
>>>>
>>>> case "$1" in
>>>> start)
>>>> start
>>>> ;;
>>>> stop)
>>>> stop
>>>> ;;
>>>> restart)
>>>> restart
>>>> ;;
>>>> reload|force-reload)
>>>> reload
>>>> ;;
>>>> status)
>>>> rhstatus
>>>> ;;
>>>> condrestart|try-restart)
>>>> rhstatus >/dev/null 2>&1 || exit 0
>>>> restart
>>>> ;;
>>>> *)
>>>> echo $"Usage: $0
>>>> {start|stop|restart|condrestart|try-restart|reload|force-
>>>> reload|status}"
>>>> exit 2
>>>> esac
>>>>
>>>> exit $?
>>>>
>>>> 2012/2/2 Rainer Gerhards <rgerhards [at] hq>
>>>>
>>>>>
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: rsyslog-bounces [at] lists [mailto:rsyslog-
>>>>>> bounces [at] lists] On Behalf Of Michael Maymann
>>>>>> Sent: Wednesday, February 01, 2012 9:08 AM
>>>>>> To: rsyslog-users
>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> David: thanks - got it working with permission dropping, by far my
>>>>>> prefered
>>>>>> configuration... just didn't know of it...:-) !
>>>>>> Rainer: please let us know if the debug info of the "permission
>>>>>> dropping:
>>>>>> hang+timeout" I send you can solve anything... anyway it works now
>>>> -
>>>>>> but
>>>>>> not optimal if other people have to service my setup...:-) !
>>>>>
>>>>> I have reviewed the debug log and I see nothing unexpected. From the
>>>>> timestamps I also see that there is no hang whatsoever. So it looks
>>>> like
>>>>> there is some problem with the startup script, which I don't know. I
>>>>> suggest
>>>>> to ask what the FAILED status is caused by. We can then look why this
>>>>> happens.
>>>>>
>>>>> Sorry I have no better answer...
>>>>> Rainer
>>>>>
>>>>>>
>>>>>> Thanks in advance :-) !
>>>>>> ~maymann
>>>>>>
>>>>>> 2012/2/1 <david [at] lang>
>>>>>>
>>>>>>> On Tue, 31 Jan 2012, Michael Maymann wrote:
>>>>>>>
>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I have now setup a 6.3.6-devel rsyslog server that is working
>>>> fine
>>>>>> running
>>>>>>>> as root.
>>>>>>>> I would like to run it as non-root user as my logfiles are
>>>> located
>>>>>> on NFS
>>>>>>>> (and root export of NFS is generally not a good idea !).
>>>>>>>>
>>>>>>>> Here is my rsyslog.conf:
>>>>>>>> #LOAD MODULES
>>>>>>>> $ModLoad imudp
>>>>>>>> $UDPServerRun 514
>>>>>>>> $UDPServerAddress 127.0.0.1
>>>>>>>> $ModLoad imtcp
>>>>>>>> $InputTCPServerRun 514
>>>>>>>> #SET DESTINATION FOR LOGS
>>>>>>>> $template
>>>>>>>> DYNmessages,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
>>>>>>>> $MONTH%_messages"
>>>>>>>> $template
>>>>>>>>
>>>>>>
>>>> DYNsecure,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_secure"
>>>>>>>> $template
>>>>>>>>
>>>>>>
>>>> DYNmaillog,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_maillo
>>>>>> g"
>>>>>>>> $template
>>>>>> DYNcron,"<PATH_TO>/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_**
>>>>>>>> cron"
>>>>>>>> $template
>>>>>>>>
>>>>>>
>>>> DYNspooler,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_spoole
>>>>>> r"
>>>>>>>> $template
>>>>>>>>
>>>>>>
>>>> DYNboot,"<PATH_TO>/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_**boot.log"
>>>>>>>> $template
>>>>>> DYNtraps,"<PATH_TO>/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MONTH%_**
>>>>>>>> traps"
>>>>>>>> #SET LOGGING CONDITIONS
>>>>>>>> if $syslogseverity <= '6' then ?DYNmessages
>>>>>>>> if $syslogfacility-text == 'authpriv' then ?DYNsecure
>>>>>>>> if $syslogfacility-text == 'mail' then ?DYNmaillog
>>>>>>>> if $syslogfacility-text == 'cron' then ?DYNcron
>>>>>>>> if $syslogseverity-text == 'crit' then ?DYNspooler
>>>>>>>> if $syslogfacility-text == 'local7' then ?DYNboot
>>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
>>>>>> 'WARNING'
>>>>>>>> then ?DYNtraps
>>>>>>>>
>>>>>>>> Here is my logfile when I try to start rsyslog as a non-root
>>>> user:
>>>>>>>> 2012-01-31T15:45:52.997693+02:**00 <hostname> rsyslogd: [origin
>>>>>>>> software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-info="
>>>>>>>> http://www.rsyslog.com"] start
>>>>>>>> 2012-01-31T15:45:52.997294+02:**00 <hostname> rsyslogd: bind:
>>>>>> Permission
>>>>>>>> denied
>>>>>>>> 2012-01-31T15:45:52.997369+02:**00 <hostname> rsyslogd: bind:
>>>>>> Permission
>>>>>>>> denied
>>>>>>>> 2012-01-31T15:45:52.997374+02:**00 <hostname> rsyslogd: No UDP
>>>>>> listen
>>>>>>>> socket
>>>>>>>> could successfully be initialized, message reception via UDP
>>>>>> disabled.
>>>>>>>> 2012-01-31T15:45:52.997376+02:**00 <hostname> rsyslogd: imudp:
>>>> no
>>>>>>>> listeners
>>>>>>>> could be started, input not activated.
>>>>>>>> 2012-01-31T15:45:52.997379+02:**00 <hostname> rsyslogd3:
>>>> activation
>>>>>> of
>>>>>>>> module
>>>>>>>> imudp failed [try http://www.rsyslog.com/e/-3 ]
>>>>>>>> 2012-01-31T15:45:52.997643+02:**00 <hostname> rsyslogd-2077:
>>>> Could
>>>>>> not
>>>>>>>> create
>>>>>>>> tcp listener, ignoring port 514. [try
>>>> http://www.rsyslog.com/e/2077
>>>>>> ]
>>>>>>>>
>>>>>>>> So permissions to bind and sockets seems to be the problem...
>>>>>>>>
>>>>>>>
>>>>>>> yes, you cannot bind to ports <1024 as a normal user (without
>>>> making
>>>>>> some
>>>>>>> other non-standard changes through sysctl)
>>>>>>>
>>>>>>>
>>>>>>> 1. Is it possible to make rsyslog write logfiles as a non-root
>>>> user
>>>>>> - if
>>>>>>>> yes: how ?
>>>>>>>>
>>>>>>>
>>>>>>> permission drop features
>>>>>>>
>>>>>>>
>>>>>>> 2a. Is it possible to add permissions for non-root user to run
>>>>>> rsyslog
>>>>>>>> server - if yes: how ?
>>>>>>>>
>>>>>>>
>>>>>>> pick a listening port > 1024 and it should work.
>>>>>>>
>>>>>>>
>>>>>>> 2b. How do I start rsyslog during boot as non-root user - can
>>>>>> chkconfig do
>>>>>>>> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ?
>>>>>>>>
>>>>>>>
>>>>>>> su can run a command as a different user.
>>>>>>>
>>>>>>> although as Rainer points out, you may just be looking for the
>>>>>> permission
>>>>>>> dropping features that are already in rsyslog.
>>>>>>>
>>>>>>> David Lang
>>>>>>>
>>>>>>> ______________________________**_________________
>>>>>>> rsyslog mailing list
>>>>>>>
>>>>>>
>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
>>>>>> n.net/mailman/listinfo/rsyslog>
>>>>>>> http://www.rsyslog.com/**professional-
>>>>>> services/<http://www.rsyslog.com/professional-services/>
>>>>>>>
>>>>>> _______________________________________________
>>>>>> rsyslog mailing list
>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>> http://www.rsyslog.com/professional-services/
>>>>> _______________________________________________
>>>>> rsyslog mailing list
>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>> http://www.rsyslog.com/professional-services/
>>>>>
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com/professional-services/
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>>
>>
>>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

michael at maymann

Feb 2, 2012, 10:47 AM

Post #17 of 37 (426 views)
Permalink

Re: rsyslog as non-root user [In reply to]

Hi,

David: Thanks for your reply - sounds possible... I will try this first
thing tomorrow morning and report back with findings...

Br.
~maymann

2012/2/2 <david [at] lang>

> On Thu, 2 Feb 2012, Michael Maymann wrote:
>
> Hi Rainer,
>>
>> I really have my doubts it has something to do with my startup script:
>> 1. I only changed the exec=/usr/sbin/rsyslogd from default
>> 2. It works perfectly when PrivDropTo is not used in rsyslog.conf.
>>
>> I'm running on RHEL6.1_x64.
>> Do you have a working /etc/init.d/rsyslog what you can share/I can
>> test...?
>>
>
>
> my guess is that this is a SELINUX related problem.
>
> what happens if you try to start rsyslog manually (not by running the
> startup script, but just running 'rsyslogd -c 6' "
>
> David Lang
>
>
>
>> Thanks in advance :-) !
>> ~maymann
>>
>> 2012/2/2 Michael Maymann <michael [at] maymann>
>>
>> Hi,
>>>
>>> Rainer: Sorry... forgot to mention that it doesn't say anything about
>>> failing in the logs... and it actually doesn't fail... it works and after
>>> the timeout+failed notice only the proccess owned by PrivDropToUser-USER
>>> is
>>> present, but now owned by the init-proccess (mother proccess dies):
>>>
>>> # service rsyslog start
>>> Starting system logger: [FAILED]
>>>
>>> BEFORE failed status:
>>> root 9126 9125 0 11:07 pts/1 00:00:00 /usr/sbin/rsyslogd -c 6
>>> <PrivDropToUser-USER> 9131 9126 0 11:07 ? 00:00:00
>>> /usr/sbin/rsyslogd -c 6
>>>
>>> AFTER failed status root-owned proccess is killed and PrivDropToUser-USER
>>> owned proccess is therefore gets owned by init:
>>> <PrivDropToUser-USER> 9131 1 0 11:07 ? 00:00:00
>>> /usr/sbin/rsyslogd -c 6
>>>
>>> Anyone who can help with this...?:
>>> here is the debug output when starting running the init-script:
>>> #/etc/init.d/rsyslog start
>>> + . /etc/init.d/functions
>>> ++ TEXTDOMAIN=initscripts
>>> ++ umask 022
>>> ++ PATH=/sbin:/usr/sbin:/bin:/**usr/bin
>>> ++ export PATH
>>> ++ '[' -z '' ']'
>>> ++ COLUMNS=80
>>> ++ '[' -z '' ']'
>>> +++ /sbin/consoletype
>>> ++ CONSOLETYPE=pty
>>> ++ '[' -f /etc/sysconfig/i18n -a -z '' -a -z '' ']'
>>> ++ . /etc/profile.d/lang.sh
>>> ++ unset LANGSH_SOURCED
>>> ++ '[' -z '' ']'
>>> ++ '[' -f /etc/sysconfig/init ']'
>>> ++ . /etc/sysconfig/init
>>> +++ BOOTUP=color
>>> +++ RES_COL=60
>>> +++ MOVE_TO_COL='echo -en \033[.60G'
>>> +++ SETCOLOR_SUCCESS='echo -en \033[.0;32m'
>>> +++ SETCOLOR_FAILURE='echo -en \033[.0;31m'
>>> +++ SETCOLOR_WARNING='echo -en \033[.0;33m'
>>> +++ SETCOLOR_NORMAL='echo -en \033[0;39m'
>>> +++ PROMPT=yes
>>> +++ AUTOSWAP=no
>>> +++ ACTIVE_CONSOLES='/dev/tty[1-6]**'
>>> +++ SINGLE=/sbin/sushell
>>> ++ '[' pty = serial ']'
>>> ++
>>> __sed_discard_ignored_files='/**$~\|\.bak\|\.orig\|\.rpmnew\|**
>>> \.rpmorig\|\.rpmsave$$/d'
>>> + RETVAL=0
>>> + PIDFILE=/var/run/syslogd.pid
>>> + prog=rsyslogd
>>> + exec=/usr/sbin/rsyslogd
>>> + lockfile=/var/lock/subsys/**rsyslogd
>>> + case "$1" in
>>> + start
>>> + '[' -x /usr/sbin/rsyslogd ']'
>>> + '[' -f /etc/sysconfig/rsyslog ']'
>>> + . /etc/sysconfig/rsyslog
>>> ++ SYSLOGD_OPTIONS='-c 6'
>>> + umask 077
>>> + echo -n 'Starting system logger: '
>>> Starting system logger: + daemon --pidfile=/var/run/syslogd.pid
>>> /usr/sbin/rsyslogd -c 6
>>> + local gotbase= force= nicelevel corelimit
>>> + local pid base= user= nice= bg= pid_file=
>>> + local cgroup=
>>> + nicelevel=0
>>> + '[' --pidfile=/var/run/syslogd.pid '!=' -pidfile=/var/run/syslogd.pid
>>> ']'
>>> + case $1 in
>>> + pid_file=/var/run/syslogd.pid
>>> + shift
>>> + '[' /usr/sbin/rsyslogd '!=' /usr/sbin/rsyslogd ']'
>>> + '[' -z '' ']'
>>> + base=rsyslogd
>>> + __pids_var_run rsyslogd /var/run/syslogd.pid
>>> + local base=rsyslogd
>>> + local pid_file=/var/run/syslogd.pid
>>> + pid=
>>> + '[' -f /var/run/syslogd.pid ']'
>>> + return 3
>>> + '[' -n '' -a -z '' ']'
>>> + corelimit='ulimit -S -c 0'
>>> + '[' -n '' ']'
>>> + '[' -n '' ']'
>>> + '[' color = verbose -a -z '' ']'
>>> + '[' -z '' ']'
>>> + /bin/bash -c 'ulimit -S -c 0 >/dev/null 2>&1 ; /usr/sbin/rsyslogd -c 6'
>>> ...
>>> (hangs here for a long time)
>>> ...
>>> + '[' 1 -eq 0 ']'
>>> + failure 'rsyslogd startup'
>>> + local rc=1
>>> + '[' color '!=' verbose -a -z '' ']'
>>> + echo_failure
>>> + '[' color = color ']'
>>> + echo -en '\033[.60G'
>>> + echo -n '['
>>> [+ '[' color = color ']'
>>> + echo -en '\033[.0;31m'
>>> + echo -n FAILED
>>> FAILED+ '[' color = color ']'
>>> + echo -en '\033[0;39m'
>>> + echo -n ']'
>>> ]+ echo -ne '\r'
>>> + return 1
>>> + '[' -x /usr/bin/plymouth ']'
>>> + /usr/bin/plymouth --details
>>> + return 1
>>> + RETVAL=1
>>> + echo
>>>
>>> + '[' 1 -eq 0 ']'
>>> + return 1
>>> + exit 1
>>>
>>> I have tried to give 777-access to /var/run and /var/lock/subsys - but
>>> same thing happens...
>>>
>>>
>>>
>>> Thanks in advance :-) !
>>>
>>> Br.
>>> ~maymann
>>>
>>>
>>>
>>> 2012/2/2 Rainer Gerhards <rgerhards [at] hq>
>>>
>>> I can only help you with that part if you point me to why exactly the
>>>> script
>>>> claims what it does. So you may want to try find someone who can do
>>>> that.
>>>> I
>>>> know this is probably a trivial question, but I don't know anything ;)
>>>>
>>>> Sry, rainer
>>>>
>>>> -----Original Message-----
>>>>> From: rsyslog-bounces [at] lists**com<rsyslog-bounces [at] lists>[mailto:
>>>>> rsyslog-
>>>>> bounces [at] lists] On Behalf Of Michael Maymann
>>>>> Sent: Thursday, February 02, 2012 10:03 AM
>>>>> To: rsyslog-users
>>>>> Subject: Re: [rsyslog] rsyslog as non-root user
>>>>>
>>>>> Here is my startup script... only thing changed is the path to the new
>>>>> 6.3.6-rsyslog-devel binary.
>>>>> The startup-scripts works also perfectly when i comment out the
>>>>> PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but failes if i
>>>>> have
>>>>> both or one of the entries...:
>>>>> #!/bin/bash
>>>>> #
>>>>> # rsyslog Starts rsyslogd/rklogd.
>>>>> #
>>>>> #
>>>>> # chkconfig: 2345 12 88
>>>>> # description: Syslog is the facility by which many daemons use to log
>>>>> \
>>>>> # messages to various system log files. It is a good idea to always \
>>>>> # run rsyslog.
>>>>> ### BEGIN INIT INFO
>>>>> # Provides: $syslog
>>>>> # Required-Start: $local_fs
>>>>> # Required-Stop: $local_fs
>>>>> # Default-Start: 2 3 4 5
>>>>> # Default-Stop: 0 1 6
>>>>> # Short-Description: Enhanced system logging and kernel message
>>>>> trapping
>>>>> daemons
>>>>> # Description: Rsyslog is an enhanced multi-threaded syslogd
>>>>> supporting,
>>>>> # among others, MySQL, syslog/tcp, RFC 3195, permitted
>>>>> # sender lists, filtering on any message part, and fine
>>>>> # grain output format control.
>>>>> ### END INIT INFO
>>>>>
>>>>> # Source function library.
>>>>> . /etc/init.d/functions
>>>>>
>>>>> RETVAL=0
>>>>> PIDFILE=/var/run/syslogd.pid
>>>>>
>>>>> prog=rsyslogd
>>>>> #exec=/sbin/rsyslogd
>>>>> exec=/usr/sbin/rsyslogd
>>>>> lockfile=/var/lock/subsys/$**prog
>>>>>
>>>>> start() {
>>>>> [ -x $exec ] || exit 5
>>>>>
>>>>> # Source config
>>>>> if [ -f /etc/sysconfig/rsyslog ] ; then
>>>>> . /etc/sysconfig/rsyslog
>>>>> fi
>>>>> umask 077
>>>>>
>>>>> echo -n $"Starting system logger: "
>>>>> daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS
>>>>> RETVAL=$?
>>>>> echo
>>>>> [ $RETVAL -eq 0 ] && touch $lockfile
>>>>> return $RETVAL
>>>>> }
>>>>> stop() {
>>>>> echo -n $"Shutting down system logger: "
>>>>> killproc $prog
>>>>> RETVAL=$?
>>>>> echo
>>>>> [ $RETVAL -eq 0 ] && rm -f $lockfile
>>>>> return $RETVAL
>>>>> }
>>>>> reload() {
>>>>> RETVAL=1
>>>>> syslog=$(cat "${PIDFILE}" 2>/dev/null)
>>>>> echo -n "Reloading system logger..."
>>>>> if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then
>>>>> kill -HUP "$syslog";
>>>>> RETVAL=$?
>>>>> fi
>>>>> if [ $RETVAL -ne 0 ]; then
>>>>> failure
>>>>> else
>>>>> success
>>>>> fi
>>>>> echo
>>>>> return $RETVAL
>>>>> }
>>>>> rhstatus() {
>>>>> status -p "${PIDFILE}" $prog
>>>>> }
>>>>> restart() {
>>>>> stop
>>>>> start
>>>>> }
>>>>>
>>>>> case "$1" in
>>>>> start)
>>>>> start
>>>>> ;;
>>>>> stop)
>>>>> stop
>>>>> ;;
>>>>> restart)
>>>>> restart
>>>>> ;;
>>>>> reload|force-reload)
>>>>> reload
>>>>> ;;
>>>>> status)
>>>>> rhstatus
>>>>> ;;
>>>>> condrestart|try-restart)
>>>>> rhstatus >/dev/null 2>&1 || exit 0
>>>>> restart
>>>>> ;;
>>>>> *)
>>>>> echo $"Usage: $0
>>>>> {start|stop|restart|**condrestart|try-restart|**reload|force-
>>>>> reload|status}"
>>>>> exit 2
>>>>> esac
>>>>>
>>>>> exit $?
>>>>>
>>>>> 2012/2/2 Rainer Gerhards <rgerhards [at] hq>
>>>>>
>>>>>
>>>>>>
>>>>>> -----Original Message-----
>>>>>>> From: rsyslog-bounces [at] lists**com<rsyslog-bounces [at] lists>[mailto:
>>>>>>> rsyslog-
>>>>>>> bounces [at] lists] On Behalf Of Michael Maymann
>>>>>>> Sent: Wednesday, February 01, 2012 9:08 AM
>>>>>>> To: rsyslog-users
>>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> David: thanks - got it working with permission dropping, by far my
>>>>>>> prefered
>>>>>>> configuration... just didn't know of it...:-) !
>>>>>>> Rainer: please let us know if the debug info of the "permission
>>>>>>> dropping:
>>>>>>> hang+timeout" I send you can solve anything... anyway it works now
>>>>>>>
>>>>>> -
>>>>>
>>>>>> but
>>>>>>> not optimal if other people have to service my setup...:-) !
>>>>>>>
>>>>>>
>>>>>> I have reviewed the debug log and I see nothing unexpected. From the
>>>>>> timestamps I also see that there is no hang whatsoever. So it looks
>>>>>>
>>>>> like
>>>>>
>>>>>> there is some problem with the startup script, which I don't know. I
>>>>>> suggest
>>>>>> to ask what the FAILED status is caused by. We can then look why this
>>>>>> happens.
>>>>>>
>>>>>> Sorry I have no better answer...
>>>>>> Rainer
>>>>>>
>>>>>>
>>>>>>> Thanks in advance :-) !
>>>>>>> ~maymann
>>>>>>>
>>>>>>> 2012/2/1 <david [at] lang>
>>>>>>>
>>>>>>> On Tue, 31 Jan 2012, Michael Maymann wrote:
>>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>>>
>>>>>>>>> I have now setup a 6.3.6-devel rsyslog server that is working
>>>>>>>>>
>>>>>>>> fine
>>>>>
>>>>>> running
>>>>>>>
>>>>>>>> as root.
>>>>>>>>> I would like to run it as non-root user as my logfiles are
>>>>>>>>>
>>>>>>>> located
>>>>>
>>>>>> on NFS
>>>>>>>
>>>>>>>> (and root export of NFS is generally not a good idea !).
>>>>>>>>>
>>>>>>>>> Here is my rsyslog.conf:
>>>>>>>>> #LOAD MODULES
>>>>>>>>> $ModLoad imudp
>>>>>>>>> $UDPServerRun 514
>>>>>>>>> $UDPServerAddress 127.0.0.1
>>>>>>>>> $ModLoad imtcp
>>>>>>>>> $InputTCPServerRun 514
>>>>>>>>> #SET DESTINATION FOR LOGS
>>>>>>>>> $template
>>>>>>>>> DYNmessages,"<PATH_TO>/%****FROMHOST%/%FROMHOST%_%$YEAR%.%****
>>>>>>>>> $MONTH%_messages"
>>>>>>>>> $template
>>>>>>>>>
>>>>>>>>>
>>>>>>> DYNsecure,"<PATH_TO>/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**
>>>>> **$MONTH%_secure"
>>>>>
>>>>>> $template
>>>>>>>>>
>>>>>>>>>
>>>>>>> DYNmaillog,"<PATH_TO>/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**
>>>>> **$MONTH%_maillo
>>>>>
>>>>>> g"
>>>>>>>
>>>>>>>> $template
>>>>>>>>>
>>>>>>>> DYNcron,"<PATH_TO>/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_****
>>>>>>>
>>>>>>>> cron"
>>>>>>>>> $template
>>>>>>>>>
>>>>>>>>>
>>>>>>> DYNspooler,"<PATH_TO>/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**
>>>>> **$MONTH%_spoole
>>>>>
>>>>>> r"
>>>>>>>
>>>>>>>> $template
>>>>>>>>>
>>>>>>>>>
>>>>>>> DYNboot,"<PATH_TO>/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_**
>>>>> **boot.log"
>>>>>
>>>>>> $template
>>>>>>>>>
>>>>>>>> DYNtraps,"<PATH_TO>/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_**
>>>>>>>
>>>>>>>> traps"
>>>>>>>>> #SET LOGGING CONDITIONS
>>>>>>>>> if $syslogseverity <= '6' then ?DYNmessages
>>>>>>>>> if $syslogfacility-text == 'authpriv' then ?DYNsecure
>>>>>>>>> if $syslogfacility-text == 'mail' then ?DYNmaillog
>>>>>>>>> if $syslogfacility-text == 'cron' then ?DYNcron
>>>>>>>>> if $syslogseverity-text == 'crit' then ?DYNspooler
>>>>>>>>> if $syslogfacility-text == 'local7' then ?DYNboot
>>>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
>>>>>>>>>
>>>>>>>> 'WARNING'
>>>>>>>
>>>>>>>> then ?DYNtraps
>>>>>>>>>
>>>>>>>>> Here is my logfile when I try to start rsyslog as a non-root
>>>>>>>>>
>>>>>>>> user:
>>>>>
>>>>>> 2012-01-31T15:45:52.997693+02:****00 <hostname> rsyslogd: [origin
>>>>>>>>> software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-info="
>>>>>>>>> http://www.rsyslog.com"] start
>>>>>>>>> 2012-01-31T15:45:52.997294+02:****00 <hostname> rsyslogd: bind:
>>>>>>>>>
>>>>>>>> Permission
>>>>>>>
>>>>>>>> denied
>>>>>>>>> 2012-01-31T15:45:52.997369+02:****00 <hostname> rsyslogd: bind:
>>>>>>>>>
>>>>>>>> Permission
>>>>>>>
>>>>>>>> denied
>>>>>>>>> 2012-01-31T15:45:52.997374+02:****00 <hostname> rsyslogd: No UDP
>>>>>>>>>
>>>>>>>> listen
>>>>>>>
>>>>>>>> socket
>>>>>>>>> could successfully be initialized, message reception via UDP
>>>>>>>>>
>>>>>>>> disabled.
>>>>>>>
>>>>>>>> 2012-01-31T15:45:52.997376+02:****00 <hostname> rsyslogd: imudp:
>>>>>>>>>
>>>>>>>> no
>>>>>
>>>>>> listeners
>>>>>>>>> could be started, input not activated.
>>>>>>>>> 2012-01-31T15:45:52.997379+02:****00 <hostname> rsyslogd3:
>>>>>>>>>
>>>>>>>> activation
>>>>>
>>>>>> of
>>>>>>>
>>>>>>>> module
>>>>>>>>> imudp failed [try http://www.rsyslog.com/e/-3 ]
>>>>>>>>> 2012-01-31T15:45:52.997643+02:****00 <hostname> rsyslogd-2077:
>>>>>>>>>
>>>>>>>> Could
>>>>>
>>>>>> not
>>>>>>>
>>>>>>>> create
>>>>>>>>> tcp listener, ignoring port 514. [try
>>>>>>>>>
>>>>>>>> http://www.rsyslog.com/e/2077
>>>>>
>>>>>> ]
>>>>>>>
>>>>>>>>
>>>>>>>>> So permissions to bind and sockets seems to be the problem...
>>>>>>>>>
>>>>>>>>>
>>>>>>>> yes, you cannot bind to ports <1024 as a normal user (without
>>>>>>>>
>>>>>>> making
>>>>>
>>>>>> some
>>>>>>>
>>>>>>>> other non-standard changes through sysctl)
>>>>>>>>
>>>>>>>>
>>>>>>>> 1. Is it possible to make rsyslog write logfiles as a non-root
>>>>>>>>
>>>>>>> user
>>>>>
>>>>>> - if
>>>>>>>
>>>>>>>> yes: how ?
>>>>>>>>>
>>>>>>>>>
>>>>>>>> permission drop features
>>>>>>>>
>>>>>>>>
>>>>>>>> 2a. Is it possible to add permissions for non-root user to run
>>>>>>>>
>>>>>>> rsyslog
>>>>>>>
>>>>>>>> server - if yes: how ?
>>>>>>>>>
>>>>>>>>>
>>>>>>>> pick a listening port > 1024 and it should work.
>>>>>>>>
>>>>>>>>
>>>>>>>> 2b. How do I start rsyslog during boot as non-root user - can
>>>>>>>>
>>>>>>> chkconfig do
>>>>>>>
>>>>>>>> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ?
>>>>>>>>>
>>>>>>>>>
>>>>>>>> su can run a command as a different user.
>>>>>>>>
>>>>>>>> although as Rainer points out, you may just be looking for the
>>>>>>>>
>>>>>>> permission
>>>>>>>
>>>>>>>> dropping features that are already in rsyslog.
>>>>>>>>
>>>>>>>> David Lang
>>>>>>>>
>>>>>>>> ______________________________****_________________
>>>>>>>> rsyslog mailing list
>>>>>>>>
>>>>>>>>
>>>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adiscon.net/**mailman/listinfo/rsyslog>
>>>>> <http:**//lists.adisco <http://lists.adisco>
>>>>>
>>>>>> n.net/mailman/listinfo/rsyslog**>
>>>>>>>
>>>>>>>> http://www.rsyslog.com/****professional-<http://www.rsyslog.com/**professional->
>>>>>>>>
>>>>>>> services/<http://www.rsyslog.**com/professional-services/<http://www.rsyslog.com/professional-services/>
>>>>>>> >
>>>>>>>
>>>>>>>>
>>>>>>>> ______________________________**_________________
>>>>>>> rsyslog mailing list
>>>>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>>>>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>>>>>>
>>>>>> ______________________________**_________________
>>>>>> rsyslog mailing list
>>>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>>>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>>>>>
>>>>>> ______________________________**_________________
>>>>> rsyslog mailing list
>>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>>>>
>>>> ______________________________**_________________
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>>>
>>>>
>>>
>>> ______________________________**_________________
>> rsyslog mailing list
>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>
>> ______________________________**_________________
> rsyslog mailing list
> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

michael at maymann

Feb 2, 2012, 11:08 PM

Post #18 of 37 (426 views)
Permalink

Re: rsyslog as non-root user [In reply to]

Hi,

David: unfortunately this was not the case...:
# cat /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted

What else could cause this problem ?

Thanks in advance :-) !
~maymann

2012/2/2 Michael Maymann <michael [at] maymann>

> Hi,
>
> David: Thanks for your reply - sounds possible... I will try this first
> thing tomorrow morning and report back with findings...
>
> Br.
> ~maymann
>
> 2012/2/2 <david [at] lang>
>
> On Thu, 2 Feb 2012, Michael Maymann wrote:
>>
>> Hi Rainer,
>>>
>>> I really have my doubts it has something to do with my startup script:
>>> 1. I only changed the exec=/usr/sbin/rsyslogd from default
>>> 2. It works perfectly when PrivDropTo is not used in rsyslog.conf.
>>>
>>> I'm running on RHEL6.1_x64.
>>> Do you have a working /etc/init.d/rsyslog what you can share/I can
>>> test...?
>>>
>>
>>
>> my guess is that this is a SELINUX related problem.
>>
>> what happens if you try to start rsyslog manually (not by running the
>> startup script, but just running 'rsyslogd -c 6' "
>>
>> David Lang
>>
>>
>>
>>> Thanks in advance :-) !
>>> ~maymann
>>>
>>> 2012/2/2 Michael Maymann <michael [at] maymann>
>>>
>>> Hi,
>>>>
>>>> Rainer: Sorry... forgot to mention that it doesn't say anything about
>>>> failing in the logs... and it actually doesn't fail... it works and
>>>> after
>>>> the timeout+failed notice only the proccess owned by
>>>> PrivDropToUser-USER is
>>>> present, but now owned by the init-proccess (mother proccess dies):
>>>>
>>>> # service rsyslog start
>>>> Starting system logger: [FAILED]
>>>>
>>>> BEFORE failed status:
>>>> root 9126 9125 0 11:07 pts/1 00:00:00 /usr/sbin/rsyslogd -c 6
>>>> <PrivDropToUser-USER> 9131 9126 0 11:07 ? 00:00:00
>>>> /usr/sbin/rsyslogd -c 6
>>>>
>>>> AFTER failed status root-owned proccess is killed and
>>>> PrivDropToUser-USER
>>>> owned proccess is therefore gets owned by init:
>>>> <PrivDropToUser-USER> 9131 1 0 11:07 ? 00:00:00
>>>> /usr/sbin/rsyslogd -c 6
>>>>
>>>> Anyone who can help with this...?:
>>>> here is the debug output when starting running the init-script:
>>>> #/etc/init.d/rsyslog start
>>>> + . /etc/init.d/functions
>>>> ++ TEXTDOMAIN=initscripts
>>>> ++ umask 022
>>>> ++ PATH=/sbin:/usr/sbin:/bin:/**usr/bin
>>>> ++ export PATH
>>>> ++ '[' -z '' ']'
>>>> ++ COLUMNS=80
>>>> ++ '[' -z '' ']'
>>>> +++ /sbin/consoletype
>>>> ++ CONSOLETYPE=pty
>>>> ++ '[' -f /etc/sysconfig/i18n -a -z '' -a -z '' ']'
>>>> ++ . /etc/profile.d/lang.sh
>>>> ++ unset LANGSH_SOURCED
>>>> ++ '[' -z '' ']'
>>>> ++ '[' -f /etc/sysconfig/init ']'
>>>> ++ . /etc/sysconfig/init
>>>> +++ BOOTUP=color
>>>> +++ RES_COL=60
>>>> +++ MOVE_TO_COL='echo -en \033[.60G'
>>>> +++ SETCOLOR_SUCCESS='echo -en \033[.0;32m'
>>>> +++ SETCOLOR_FAILURE='echo -en \033[.0;31m'
>>>> +++ SETCOLOR_WARNING='echo -en \033[.0;33m'
>>>> +++ SETCOLOR_NORMAL='echo -en \033[0;39m'
>>>> +++ PROMPT=yes
>>>> +++ AUTOSWAP=no
>>>> +++ ACTIVE_CONSOLES='/dev/tty[1-6]**'
>>>> +++ SINGLE=/sbin/sushell
>>>> ++ '[' pty = serial ']'
>>>> ++
>>>> __sed_discard_ignored_files='/**$~\|\.bak\|\.orig\|\.rpmnew\|**
>>>> \.rpmorig\|\.rpmsave$$/d'
>>>> + RETVAL=0
>>>> + PIDFILE=/var/run/syslogd.pid
>>>> + prog=rsyslogd
>>>> + exec=/usr/sbin/rsyslogd
>>>> + lockfile=/var/lock/subsys/**rsyslogd
>>>> + case "$1" in
>>>> + start
>>>> + '[' -x /usr/sbin/rsyslogd ']'
>>>> + '[' -f /etc/sysconfig/rsyslog ']'
>>>> + . /etc/sysconfig/rsyslog
>>>> ++ SYSLOGD_OPTIONS='-c 6'
>>>> + umask 077
>>>> + echo -n 'Starting system logger: '
>>>> Starting system logger: + daemon --pidfile=/var/run/syslogd.pid
>>>> /usr/sbin/rsyslogd -c 6
>>>> + local gotbase= force= nicelevel corelimit
>>>> + local pid base= user= nice= bg= pid_file=
>>>> + local cgroup=
>>>> + nicelevel=0
>>>> + '[' --pidfile=/var/run/syslogd.pid '!=' -pidfile=/var/run/syslogd.pid
>>>> ']'
>>>> + case $1 in
>>>> + pid_file=/var/run/syslogd.pid
>>>> + shift
>>>> + '[' /usr/sbin/rsyslogd '!=' /usr/sbin/rsyslogd ']'
>>>> + '[' -z '' ']'
>>>> + base=rsyslogd
>>>> + __pids_var_run rsyslogd /var/run/syslogd.pid
>>>> + local base=rsyslogd
>>>> + local pid_file=/var/run/syslogd.pid
>>>> + pid=
>>>> + '[' -f /var/run/syslogd.pid ']'
>>>> + return 3
>>>> + '[' -n '' -a -z '' ']'
>>>> + corelimit='ulimit -S -c 0'
>>>> + '[' -n '' ']'
>>>> + '[' -n '' ']'
>>>> + '[' color = verbose -a -z '' ']'
>>>> + '[' -z '' ']'
>>>> + /bin/bash -c 'ulimit -S -c 0 >/dev/null 2>&1 ; /usr/sbin/rsyslogd -c
>>>> 6'
>>>> ...
>>>> (hangs here for a long time)
>>>> ...
>>>> + '[' 1 -eq 0 ']'
>>>> + failure 'rsyslogd startup'
>>>> + local rc=1
>>>> + '[' color '!=' verbose -a -z '' ']'
>>>> + echo_failure
>>>> + '[' color = color ']'
>>>> + echo -en '\033[.60G'
>>>> + echo -n '['
>>>> [+ '[' color = color ']'
>>>> + echo -en '\033[.0;31m'
>>>> + echo -n FAILED
>>>> FAILED+ '[' color = color ']'
>>>> + echo -en '\033[0;39m'
>>>> + echo -n ']'
>>>> ]+ echo -ne '\r'
>>>> + return 1
>>>> + '[' -x /usr/bin/plymouth ']'
>>>> + /usr/bin/plymouth --details
>>>> + return 1
>>>> + RETVAL=1
>>>> + echo
>>>>
>>>> + '[' 1 -eq 0 ']'
>>>> + return 1
>>>> + exit 1
>>>>
>>>> I have tried to give 777-access to /var/run and /var/lock/subsys - but
>>>> same thing happens...
>>>>
>>>>
>>>>
>>>> Thanks in advance :-) !
>>>>
>>>> Br.
>>>> ~maymann
>>>>
>>>>
>>>>
>>>> 2012/2/2 Rainer Gerhards <rgerhards [at] hq>
>>>>
>>>> I can only help you with that part if you point me to why exactly the
>>>>> script
>>>>> claims what it does. So you may want to try find someone who can do
>>>>> that.
>>>>> I
>>>>> know this is probably a trivial question, but I don't know anything ;)
>>>>>
>>>>> Sry, rainer
>>>>>
>>>>> -----Original Message-----
>>>>>> From: rsyslog-bounces [at] lists**com<rsyslog-bounces [at] lists>[mailto:
>>>>>> rsyslog-
>>>>>> bounces [at] lists] On Behalf Of Michael Maymann
>>>>>> Sent: Thursday, February 02, 2012 10:03 AM
>>>>>> To: rsyslog-users
>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user
>>>>>>
>>>>>> Here is my startup script... only thing changed is the path to the new
>>>>>> 6.3.6-rsyslog-devel binary.
>>>>>> The startup-scripts works also perfectly when i comment out the
>>>>>> PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but failes if i
>>>>>> have
>>>>>> both or one of the entries...:
>>>>>> #!/bin/bash
>>>>>> #
>>>>>> # rsyslog Starts rsyslogd/rklogd.
>>>>>> #
>>>>>> #
>>>>>> # chkconfig: 2345 12 88
>>>>>> # description: Syslog is the facility by which many daemons use to log
>>>>>> \
>>>>>> # messages to various system log files. It is a good idea to always \
>>>>>> # run rsyslog.
>>>>>> ### BEGIN INIT INFO
>>>>>> # Provides: $syslog
>>>>>> # Required-Start: $local_fs
>>>>>> # Required-Stop: $local_fs
>>>>>> # Default-Start: 2 3 4 5
>>>>>> # Default-Stop: 0 1 6
>>>>>> # Short-Description: Enhanced system logging and kernel message
>>>>>> trapping
>>>>>> daemons
>>>>>> # Description: Rsyslog is an enhanced multi-threaded syslogd
>>>>>> supporting,
>>>>>> # among others, MySQL, syslog/tcp, RFC 3195, permitted
>>>>>> # sender lists, filtering on any message part, and fine
>>>>>> # grain output format control.
>>>>>> ### END INIT INFO
>>>>>>
>>>>>> # Source function library.
>>>>>> . /etc/init.d/functions
>>>>>>
>>>>>> RETVAL=0
>>>>>> PIDFILE=/var/run/syslogd.pid
>>>>>>
>>>>>> prog=rsyslogd
>>>>>> #exec=/sbin/rsyslogd
>>>>>> exec=/usr/sbin/rsyslogd
>>>>>> lockfile=/var/lock/subsys/$**prog
>>>>>>
>>>>>> start() {
>>>>>> [ -x $exec ] || exit 5
>>>>>>
>>>>>> # Source config
>>>>>> if [ -f /etc/sysconfig/rsyslog ] ; then
>>>>>> . /etc/sysconfig/rsyslog
>>>>>> fi
>>>>>> umask 077
>>>>>>
>>>>>> echo -n $"Starting system logger: "
>>>>>> daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS
>>>>>> RETVAL=$?
>>>>>> echo
>>>>>> [ $RETVAL -eq 0 ] && touch $lockfile
>>>>>> return $RETVAL
>>>>>> }
>>>>>> stop() {
>>>>>> echo -n $"Shutting down system logger: "
>>>>>> killproc $prog
>>>>>> RETVAL=$?
>>>>>> echo
>>>>>> [ $RETVAL -eq 0 ] && rm -f $lockfile
>>>>>> return $RETVAL
>>>>>> }
>>>>>> reload() {
>>>>>> RETVAL=1
>>>>>> syslog=$(cat "${PIDFILE}" 2>/dev/null)
>>>>>> echo -n "Reloading system logger..."
>>>>>> if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then
>>>>>> kill -HUP "$syslog";
>>>>>> RETVAL=$?
>>>>>> fi
>>>>>> if [ $RETVAL -ne 0 ]; then
>>>>>> failure
>>>>>> else
>>>>>> success
>>>>>> fi
>>>>>> echo
>>>>>> return $RETVAL
>>>>>> }
>>>>>> rhstatus() {
>>>>>> status -p "${PIDFILE}" $prog
>>>>>> }
>>>>>> restart() {
>>>>>> stop
>>>>>> start
>>>>>> }
>>>>>>
>>>>>> case "$1" in
>>>>>> start)
>>>>>> start
>>>>>> ;;
>>>>>> stop)
>>>>>> stop
>>>>>> ;;
>>>>>> restart)
>>>>>> restart
>>>>>> ;;
>>>>>> reload|force-reload)
>>>>>> reload
>>>>>> ;;
>>>>>> status)
>>>>>> rhstatus
>>>>>> ;;
>>>>>> condrestart|try-restart)
>>>>>> rhstatus >/dev/null 2>&1 || exit 0
>>>>>> restart
>>>>>> ;;
>>>>>> *)
>>>>>> echo $"Usage: $0
>>>>>> {start|stop|restart|**condrestart|try-restart|**reload|force-
>>>>>> reload|status}"
>>>>>> exit 2
>>>>>> esac
>>>>>>
>>>>>> exit $?
>>>>>>
>>>>>> 2012/2/2 Rainer Gerhards <rgerhards [at] hq>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>>> From: rsyslog-bounces [at] lists**com<rsyslog-bounces [at] lists>[mailto:
>>>>>>>> rsyslog-
>>>>>>>> bounces [at] lists] On Behalf Of Michael Maymann
>>>>>>>> Sent: Wednesday, February 01, 2012 9:08 AM
>>>>>>>> To: rsyslog-users
>>>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user
>>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> David: thanks - got it working with permission dropping, by far my
>>>>>>>> prefered
>>>>>>>> configuration... just didn't know of it...:-) !
>>>>>>>> Rainer: please let us know if the debug info of the "permission
>>>>>>>> dropping:
>>>>>>>> hang+timeout" I send you can solve anything... anyway it works now
>>>>>>>>
>>>>>>> -
>>>>>>
>>>>>>> but
>>>>>>>> not optimal if other people have to service my setup...:-) !
>>>>>>>>
>>>>>>>
>>>>>>> I have reviewed the debug log and I see nothing unexpected. From the
>>>>>>> timestamps I also see that there is no hang whatsoever. So it looks
>>>>>>>
>>>>>> like
>>>>>>
>>>>>>> there is some problem with the startup script, which I don't know. I
>>>>>>> suggest
>>>>>>> to ask what the FAILED status is caused by. We can then look why this
>>>>>>> happens.
>>>>>>>
>>>>>>> Sorry I have no better answer...
>>>>>>> Rainer
>>>>>>>
>>>>>>>
>>>>>>>> Thanks in advance :-) !
>>>>>>>> ~maymann
>>>>>>>>
>>>>>>>> 2012/2/1 <david [at] lang>
>>>>>>>>
>>>>>>>> On Tue, 31 Jan 2012, Michael Maymann wrote:
>>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I have now setup a 6.3.6-devel rsyslog server that is working
>>>>>>>>>>
>>>>>>>>> fine
>>>>>>
>>>>>>> running
>>>>>>>>
>>>>>>>>> as root.
>>>>>>>>>> I would like to run it as non-root user as my logfiles are
>>>>>>>>>>
>>>>>>>>> located
>>>>>>
>>>>>>> on NFS
>>>>>>>>
>>>>>>>>> (and root export of NFS is generally not a good idea !).
>>>>>>>>>>
>>>>>>>>>> Here is my rsyslog.conf:
>>>>>>>>>> #LOAD MODULES
>>>>>>>>>> $ModLoad imudp
>>>>>>>>>> $UDPServerRun 514
>>>>>>>>>> $UDPServerAddress 127.0.0.1
>>>>>>>>>> $ModLoad imtcp
>>>>>>>>>> $InputTCPServerRun 514
>>>>>>>>>> #SET DESTINATION FOR LOGS
>>>>>>>>>> $template
>>>>>>>>>> DYNmessages,"<PATH_TO>/%****FROMHOST%/%FROMHOST%_%$YEAR%.%****
>>>>>>>>>> $MONTH%_messages"
>>>>>>>>>> $template
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>> DYNsecure,"<PATH_TO>/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**
>>>>>> **$MONTH%_secure"
>>>>>>
>>>>>>> $template
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>> DYNmaillog,"<PATH_TO>/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**
>>>>>> **$MONTH%_maillo
>>>>>>
>>>>>>> g"
>>>>>>>>
>>>>>>>>> $template
>>>>>>>>>>
>>>>>>>>> DYNcron,"<PATH_TO>/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_****
>>>>>>>>
>>>>>>>>> cron"
>>>>>>>>>> $template
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>> DYNspooler,"<PATH_TO>/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**
>>>>>> **$MONTH%_spoole
>>>>>>
>>>>>>> r"
>>>>>>>>
>>>>>>>>> $template
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>> DYNboot,"<PATH_TO>/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_**
>>>>>> **boot.log"
>>>>>>
>>>>>>> $template
>>>>>>>>>>
>>>>>>>>> DYNtraps,"<PATH_TO>/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**
>>>>>>>> _**
>>>>>>>>
>>>>>>>>> traps"
>>>>>>>>>> #SET LOGGING CONDITIONS
>>>>>>>>>> if $syslogseverity <= '6' then ?DYNmessages
>>>>>>>>>> if $syslogfacility-text == 'authpriv' then ?DYNsecure
>>>>>>>>>> if $syslogfacility-text == 'mail' then ?DYNmaillog
>>>>>>>>>> if $syslogfacility-text == 'cron' then ?DYNcron
>>>>>>>>>> if $syslogseverity-text == 'crit' then ?DYNspooler
>>>>>>>>>> if $syslogfacility-text == 'local7' then ?DYNboot
>>>>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
>>>>>>>>>>
>>>>>>>>> 'WARNING'
>>>>>>>>
>>>>>>>>> then ?DYNtraps
>>>>>>>>>>
>>>>>>>>>> Here is my logfile when I try to start rsyslog as a non-root
>>>>>>>>>>
>>>>>>>>> user:
>>>>>>
>>>>>>> 2012-01-31T15:45:52.997693+02:****00 <hostname> rsyslogd: [origin
>>>>>>>>>> software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-info="
>>>>>>>>>> http://www.rsyslog.com"] start
>>>>>>>>>> 2012-01-31T15:45:52.997294+02:****00 <hostname> rsyslogd: bind:
>>>>>>>>>>
>>>>>>>>> Permission
>>>>>>>>
>>>>>>>>> denied
>>>>>>>>>> 2012-01-31T15:45:52.997369+02:****00 <hostname> rsyslogd: bind:
>>>>>>>>>>
>>>>>>>>> Permission
>>>>>>>>
>>>>>>>>> denied
>>>>>>>>>> 2012-01-31T15:45:52.997374+02:****00 <hostname> rsyslogd: No UDP
>>>>>>>>>>
>>>>>>>>> listen
>>>>>>>>
>>>>>>>>> socket
>>>>>>>>>> could successfully be initialized, message reception via UDP
>>>>>>>>>>
>>>>>>>>> disabled.
>>>>>>>>
>>>>>>>>> 2012-01-31T15:45:52.997376+02:****00 <hostname> rsyslogd: imudp:
>>>>>>>>>>
>>>>>>>>> no
>>>>>>
>>>>>>> listeners
>>>>>>>>>> could be started, input not activated.
>>>>>>>>>> 2012-01-31T15:45:52.997379+02:****00 <hostname> rsyslogd3:
>>>>>>>>>>
>>>>>>>>> activation
>>>>>>
>>>>>>> of
>>>>>>>>
>>>>>>>>> module
>>>>>>>>>> imudp failed [try http://www.rsyslog.com/e/-3 ]
>>>>>>>>>> 2012-01-31T15:45:52.997643+02:****00 <hostname> rsyslogd-2077:
>>>>>>>>>>
>>>>>>>>> Could
>>>>>>
>>>>>>> not
>>>>>>>>
>>>>>>>>> create
>>>>>>>>>> tcp listener, ignoring port 514. [try
>>>>>>>>>>
>>>>>>>>> http://www.rsyslog.com/e/2077
>>>>>>
>>>>>>> ]
>>>>>>>>
>>>>>>>>>
>>>>>>>>>> So permissions to bind and sockets seems to be the problem...
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> yes, you cannot bind to ports <1024 as a normal user (without
>>>>>>>>>
>>>>>>>> making
>>>>>>
>>>>>>> some
>>>>>>>>
>>>>>>>>> other non-standard changes through sysctl)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 1. Is it possible to make rsyslog write logfiles as a non-root
>>>>>>>>>
>>>>>>>> user
>>>>>>
>>>>>>> - if
>>>>>>>>
>>>>>>>>> yes: how ?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> permission drop features
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 2a. Is it possible to add permissions for non-root user to run
>>>>>>>>>
>>>>>>>> rsyslog
>>>>>>>>
>>>>>>>>> server - if yes: how ?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> pick a listening port > 1024 and it should work.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 2b. How do I start rsyslog during boot as non-root user - can
>>>>>>>>>
>>>>>>>> chkconfig do
>>>>>>>>
>>>>>>>>> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> su can run a command as a different user.
>>>>>>>>>
>>>>>>>>> although as Rainer points out, you may just be looking for the
>>>>>>>>>
>>>>>>>> permission
>>>>>>>>
>>>>>>>>> dropping features that are already in rsyslog.
>>>>>>>>>
>>>>>>>>> David Lang
>>>>>>>>>
>>>>>>>>> ______________________________****_________________
>>>>>>>>> rsyslog mailing list
>>>>>>>>>
>>>>>>>>>
>>>>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adiscon.net/**mailman/listinfo/rsyslog>
>>>>>> <http:**//lists.adisco <http://lists.adisco>
>>>>>>
>>>>>>> n.net/mailman/listinfo/rsyslog**>
>>>>>>>>
>>>>>>>>> http://www.rsyslog.com/****professional-<http://www.rsyslog.com/**professional->
>>>>>>>>>
>>>>>>>> services/<http://www.rsyslog.**com/professional-services/<http://www.rsyslog.com/professional-services/>
>>>>>>>> >
>>>>>>>>
>>>>>>>>>
>>>>>>>>> ______________________________**_________________
>>>>>>>> rsyslog mailing list
>>>>>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>>>>>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>>>>>>>
>>>>>>> ______________________________**_________________
>>>>>>> rsyslog mailing list
>>>>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>>>>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>>>>>>
>>>>>>> ______________________________**_________________
>>>>>> rsyslog mailing list
>>>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>>>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>>>>>
>>>>> ______________________________**_________________
>>>>> rsyslog mailing list
>>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>>>>
>>>>>
>>>>
>>>> ______________________________**_________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>>
>>> ______________________________**_________________
>> rsyslog mailing list
>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>
>
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

michael at maymann

Feb 2, 2012, 11:38 PM

Post #19 of 37 (426 views)
Permalink

Re: rsyslog as non-root user [In reply to]

Hi,

forgot to mention, that when i run:
# /usr/sbin/rsyslogd -c 6
it does the same thing... (hang+timeout+live
init/PrivDropToUser-owned-child-proccess) again only when PrivDropTo is
enabled in /etc/rsyslog.conf... otherwise working perfectly...
Would this possibly be solved in yesterdays release: 6.3.7-devel ?

Thanks in advance :-) !
~maymann

2012/2/3 Michael Maymann <michael [at] maymann>

> Hi,
>
> David: unfortunately this was not the case...:
> # cat /etc/sysconfig/selinux
> # This file controls the state of SELinux on the system.
> # SELINUX= can take one of these three values:
> # enforcing - SELinux security policy is enforced.
> # permissive - SELinux prints warnings instead of enforcing.
> # disabled - SELinux is fully disabled.
> SELINUX=disabled
> # SELINUXTYPE= type of policy in use. Possible values are:
> # targeted - Only targeted network daemons are protected.
> # strict - Full SELinux protection.
> SELINUXTYPE=targeted
>
> What else could cause this problem ?
>
>
>
> Thanks in advance :-) !
> ~maymann
>
> 2012/2/2 Michael Maymann <michael [at] maymann>
>
>> Hi,
>>
>> David: Thanks for your reply - sounds possible... I will try this first
>> thing tomorrow morning and report back with findings...
>>
>> Br.
>> ~maymann
>>
>> 2012/2/2 <david [at] lang>
>>
>> On Thu, 2 Feb 2012, Michael Maymann wrote:
>>>
>>> Hi Rainer,
>>>>
>>>> I really have my doubts it has something to do with my startup script:
>>>> 1. I only changed the exec=/usr/sbin/rsyslogd from default
>>>> 2. It works perfectly when PrivDropTo is not used in rsyslog.conf.
>>>>
>>>> I'm running on RHEL6.1_x64.
>>>> Do you have a working /etc/init.d/rsyslog what you can share/I can
>>>> test...?
>>>>
>>>
>>>
>>> my guess is that this is a SELINUX related problem.
>>>
>>> what happens if you try to start rsyslog manually (not by running the
>>> startup script, but just running 'rsyslogd -c 6' "
>>>
>>> David Lang
>>>
>>>
>>>
>>>> Thanks in advance :-) !
>>>> ~maymann
>>>>
>>>> 2012/2/2 Michael Maymann <michael [at] maymann>
>>>>
>>>> Hi,
>>>>>
>>>>> Rainer: Sorry... forgot to mention that it doesn't say anything about
>>>>> failing in the logs... and it actually doesn't fail... it works and
>>>>> after
>>>>> the timeout+failed notice only the proccess owned by
>>>>> PrivDropToUser-USER is
>>>>> present, but now owned by the init-proccess (mother proccess dies):
>>>>>
>>>>> # service rsyslog start
>>>>> Starting system logger: [FAILED]
>>>>>
>>>>> BEFORE failed status:
>>>>> root 9126 9125 0 11:07 pts/1 00:00:00 /usr/sbin/rsyslogd -c 6
>>>>> <PrivDropToUser-USER> 9131 9126 0 11:07 ? 00:00:00
>>>>> /usr/sbin/rsyslogd -c 6
>>>>>
>>>>> AFTER failed status root-owned proccess is killed and
>>>>> PrivDropToUser-USER
>>>>> owned proccess is therefore gets owned by init:
>>>>> <PrivDropToUser-USER> 9131 1 0 11:07 ? 00:00:00
>>>>> /usr/sbin/rsyslogd -c 6
>>>>>
>>>>> Anyone who can help with this...?:
>>>>> here is the debug output when starting running the init-script:
>>>>> #/etc/init.d/rsyslog start
>>>>> + . /etc/init.d/functions
>>>>> ++ TEXTDOMAIN=initscripts
>>>>> ++ umask 022
>>>>> ++ PATH=/sbin:/usr/sbin:/bin:/**usr/bin
>>>>> ++ export PATH
>>>>> ++ '[' -z '' ']'
>>>>> ++ COLUMNS=80
>>>>> ++ '[' -z '' ']'
>>>>> +++ /sbin/consoletype
>>>>> ++ CONSOLETYPE=pty
>>>>> ++ '[' -f /etc/sysconfig/i18n -a -z '' -a -z '' ']'
>>>>> ++ . /etc/profile.d/lang.sh
>>>>> ++ unset LANGSH_SOURCED
>>>>> ++ '[' -z '' ']'
>>>>> ++ '[' -f /etc/sysconfig/init ']'
>>>>> ++ . /etc/sysconfig/init
>>>>> +++ BOOTUP=color
>>>>> +++ RES_COL=60
>>>>> +++ MOVE_TO_COL='echo -en \033[.60G'
>>>>> +++ SETCOLOR_SUCCESS='echo -en \033[.0;32m'
>>>>> +++ SETCOLOR_FAILURE='echo -en \033[.0;31m'
>>>>> +++ SETCOLOR_WARNING='echo -en \033[.0;33m'
>>>>> +++ SETCOLOR_NORMAL='echo -en \033[0;39m'
>>>>> +++ PROMPT=yes
>>>>> +++ AUTOSWAP=no
>>>>> +++ ACTIVE_CONSOLES='/dev/tty[1-6]**'
>>>>> +++ SINGLE=/sbin/sushell
>>>>> ++ '[' pty = serial ']'
>>>>> ++
>>>>> __sed_discard_ignored_files='/**$~\|\.bak\|\.orig\|\.rpmnew\|**
>>>>> \.rpmorig\|\.rpmsave$$/d'
>>>>> + RETVAL=0
>>>>> + PIDFILE=/var/run/syslogd.pid
>>>>> + prog=rsyslogd
>>>>> + exec=/usr/sbin/rsyslogd
>>>>> + lockfile=/var/lock/subsys/**rsyslogd
>>>>> + case "$1" in
>>>>> + start
>>>>> + '[' -x /usr/sbin/rsyslogd ']'
>>>>> + '[' -f /etc/sysconfig/rsyslog ']'
>>>>> + . /etc/sysconfig/rsyslog
>>>>> ++ SYSLOGD_OPTIONS='-c 6'
>>>>> + umask 077
>>>>> + echo -n 'Starting system logger: '
>>>>> Starting system logger: + daemon --pidfile=/var/run/syslogd.pid
>>>>> /usr/sbin/rsyslogd -c 6
>>>>> + local gotbase= force= nicelevel corelimit
>>>>> + local pid base= user= nice= bg= pid_file=
>>>>> + local cgroup=
>>>>> + nicelevel=0
>>>>> + '[' --pidfile=/var/run/syslogd.pid '!='
>>>>> -pidfile=/var/run/syslogd.pid ']'
>>>>> + case $1 in
>>>>> + pid_file=/var/run/syslogd.pid
>>>>> + shift
>>>>> + '[' /usr/sbin/rsyslogd '!=' /usr/sbin/rsyslogd ']'
>>>>> + '[' -z '' ']'
>>>>> + base=rsyslogd
>>>>> + __pids_var_run rsyslogd /var/run/syslogd.pid
>>>>> + local base=rsyslogd
>>>>> + local pid_file=/var/run/syslogd.pid
>>>>> + pid=
>>>>> + '[' -f /var/run/syslogd.pid ']'
>>>>> + return 3
>>>>> + '[' -n '' -a -z '' ']'
>>>>> + corelimit='ulimit -S -c 0'
>>>>> + '[' -n '' ']'
>>>>> + '[' -n '' ']'
>>>>> + '[' color = verbose -a -z '' ']'
>>>>> + '[' -z '' ']'
>>>>> + /bin/bash -c 'ulimit -S -c 0 >/dev/null 2>&1 ; /usr/sbin/rsyslogd -c
>>>>> 6'
>>>>> ...
>>>>> (hangs here for a long time)
>>>>> ...
>>>>> + '[' 1 -eq 0 ']'
>>>>> + failure 'rsyslogd startup'
>>>>> + local rc=1
>>>>> + '[' color '!=' verbose -a -z '' ']'
>>>>> + echo_failure
>>>>> + '[' color = color ']'
>>>>> + echo -en '\033[.60G'
>>>>> + echo -n '['
>>>>> [+ '[' color = color ']'
>>>>> + echo -en '\033[.0;31m'
>>>>> + echo -n FAILED
>>>>> FAILED+ '[' color = color ']'
>>>>> + echo -en '\033[0;39m'
>>>>> + echo -n ']'
>>>>> ]+ echo -ne '\r'
>>>>> + return 1
>>>>> + '[' -x /usr/bin/plymouth ']'
>>>>> + /usr/bin/plymouth --details
>>>>> + return 1
>>>>> + RETVAL=1
>>>>> + echo
>>>>>
>>>>> + '[' 1 -eq 0 ']'
>>>>> + return 1
>>>>> + exit 1
>>>>>
>>>>> I have tried to give 777-access to /var/run and /var/lock/subsys - but
>>>>> same thing happens...
>>>>>
>>>>>
>>>>>
>>>>> Thanks in advance :-) !
>>>>>
>>>>> Br.
>>>>> ~maymann
>>>>>
>>>>>
>>>>>
>>>>> 2012/2/2 Rainer Gerhards <rgerhards [at] hq>
>>>>>
>>>>> I can only help you with that part if you point me to why exactly the
>>>>>> script
>>>>>> claims what it does. So you may want to try find someone who can do
>>>>>> that.
>>>>>> I
>>>>>> know this is probably a trivial question, but I don't know anything ;)
>>>>>>
>>>>>> Sry, rainer
>>>>>>
>>>>>> -----Original Message-----
>>>>>>> From: rsyslog-bounces [at] lists**com<rsyslog-bounces [at] lists>[mailto:
>>>>>>> rsyslog-
>>>>>>> bounces [at] lists] On Behalf Of Michael Maymann
>>>>>>> Sent: Thursday, February 02, 2012 10:03 AM
>>>>>>> To: rsyslog-users
>>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user
>>>>>>>
>>>>>>> Here is my startup script... only thing changed is the path to the
>>>>>>> new
>>>>>>> 6.3.6-rsyslog-devel binary.
>>>>>>> The startup-scripts works also perfectly when i comment out the
>>>>>>> PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but failes if i
>>>>>>> have
>>>>>>> both or one of the entries...:
>>>>>>> #!/bin/bash
>>>>>>> #
>>>>>>> # rsyslog Starts rsyslogd/rklogd.
>>>>>>> #
>>>>>>> #
>>>>>>> # chkconfig: 2345 12 88
>>>>>>> # description: Syslog is the facility by which many daemons use to
>>>>>>> log
>>>>>>> \
>>>>>>> # messages to various system log files. It is a good idea to always
>>>>>>> \
>>>>>>> # run rsyslog.
>>>>>>> ### BEGIN INIT INFO
>>>>>>> # Provides: $syslog
>>>>>>> # Required-Start: $local_fs
>>>>>>> # Required-Stop: $local_fs
>>>>>>> # Default-Start: 2 3 4 5
>>>>>>> # Default-Stop: 0 1 6
>>>>>>> # Short-Description: Enhanced system logging and kernel message
>>>>>>> trapping
>>>>>>> daemons
>>>>>>> # Description: Rsyslog is an enhanced multi-threaded syslogd
>>>>>>> supporting,
>>>>>>> # among others, MySQL, syslog/tcp, RFC 3195, permitted
>>>>>>> # sender lists, filtering on any message part, and fine
>>>>>>> # grain output format control.
>>>>>>> ### END INIT INFO
>>>>>>>
>>>>>>> # Source function library.
>>>>>>> . /etc/init.d/functions
>>>>>>>
>>>>>>> RETVAL=0
>>>>>>> PIDFILE=/var/run/syslogd.pid
>>>>>>>
>>>>>>> prog=rsyslogd
>>>>>>> #exec=/sbin/rsyslogd
>>>>>>> exec=/usr/sbin/rsyslogd
>>>>>>> lockfile=/var/lock/subsys/$**prog
>>>>>>>
>>>>>>> start() {
>>>>>>> [ -x $exec ] || exit 5
>>>>>>>
>>>>>>> # Source config
>>>>>>> if [ -f /etc/sysconfig/rsyslog ] ; then
>>>>>>> . /etc/sysconfig/rsyslog
>>>>>>> fi
>>>>>>> umask 077
>>>>>>>
>>>>>>> echo -n $"Starting system logger: "
>>>>>>> daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS
>>>>>>> RETVAL=$?
>>>>>>> echo
>>>>>>> [ $RETVAL -eq 0 ] && touch $lockfile
>>>>>>> return $RETVAL
>>>>>>> }
>>>>>>> stop() {
>>>>>>> echo -n $"Shutting down system logger: "
>>>>>>> killproc $prog
>>>>>>> RETVAL=$?
>>>>>>> echo
>>>>>>> [ $RETVAL -eq 0 ] && rm -f $lockfile
>>>>>>> return $RETVAL
>>>>>>> }
>>>>>>> reload() {
>>>>>>> RETVAL=1
>>>>>>> syslog=$(cat "${PIDFILE}" 2>/dev/null)
>>>>>>> echo -n "Reloading system logger..."
>>>>>>> if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then
>>>>>>> kill -HUP "$syslog";
>>>>>>> RETVAL=$?
>>>>>>> fi
>>>>>>> if [ $RETVAL -ne 0 ]; then
>>>>>>> failure
>>>>>>> else
>>>>>>> success
>>>>>>> fi
>>>>>>> echo
>>>>>>> return $RETVAL
>>>>>>> }
>>>>>>> rhstatus() {
>>>>>>> status -p "${PIDFILE}" $prog
>>>>>>> }
>>>>>>> restart() {
>>>>>>> stop
>>>>>>> start
>>>>>>> }
>>>>>>>
>>>>>>> case "$1" in
>>>>>>> start)
>>>>>>> start
>>>>>>> ;;
>>>>>>> stop)
>>>>>>> stop
>>>>>>> ;;
>>>>>>> restart)
>>>>>>> restart
>>>>>>> ;;
>>>>>>> reload|force-reload)
>>>>>>> reload
>>>>>>> ;;
>>>>>>> status)
>>>>>>> rhstatus
>>>>>>> ;;
>>>>>>> condrestart|try-restart)
>>>>>>> rhstatus >/dev/null 2>&1 || exit 0
>>>>>>> restart
>>>>>>> ;;
>>>>>>> *)
>>>>>>> echo $"Usage: $0
>>>>>>> {start|stop|restart|**condrestart|try-restart|**reload|force-
>>>>>>> reload|status}"
>>>>>>> exit 2
>>>>>>> esac
>>>>>>>
>>>>>>> exit $?
>>>>>>>
>>>>>>> 2012/2/2 Rainer Gerhards <rgerhards [at] hq>
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>>> From: rsyslog-bounces [at] lists**com<rsyslog-bounces [at] lists>[mailto:
>>>>>>>>> rsyslog-
>>>>>>>>> bounces [at] lists] On Behalf Of Michael Maymann
>>>>>>>>> Sent: Wednesday, February 01, 2012 9:08 AM
>>>>>>>>> To: rsyslog-users
>>>>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user
>>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> David: thanks - got it working with permission dropping, by far my
>>>>>>>>> prefered
>>>>>>>>> configuration... just didn't know of it...:-) !
>>>>>>>>> Rainer: please let us know if the debug info of the "permission
>>>>>>>>> dropping:
>>>>>>>>> hang+timeout" I send you can solve anything... anyway it works now
>>>>>>>>>
>>>>>>>> -
>>>>>>>
>>>>>>>> but
>>>>>>>>> not optimal if other people have to service my setup...:-) !
>>>>>>>>>
>>>>>>>>
>>>>>>>> I have reviewed the debug log and I see nothing unexpected. From the
>>>>>>>> timestamps I also see that there is no hang whatsoever. So it looks
>>>>>>>>
>>>>>>> like
>>>>>>>
>>>>>>>> there is some problem with the startup script, which I don't know. I
>>>>>>>> suggest
>>>>>>>> to ask what the FAILED status is caused by. We can then look why
>>>>>>>> this
>>>>>>>> happens.
>>>>>>>>
>>>>>>>> Sorry I have no better answer...
>>>>>>>> Rainer
>>>>>>>>
>>>>>>>>
>>>>>>>>> Thanks in advance :-) !
>>>>>>>>> ~maymann
>>>>>>>>>
>>>>>>>>> 2012/2/1 <david [at] lang>
>>>>>>>>>
>>>>>>>>> On Tue, 31 Jan 2012, Michael Maymann wrote:
>>>>>>>>>>
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I have now setup a 6.3.6-devel rsyslog server that is working
>>>>>>>>>>>
>>>>>>>>>> fine
>>>>>>>
>>>>>>>> running
>>>>>>>>>
>>>>>>>>>> as root.
>>>>>>>>>>> I would like to run it as non-root user as my logfiles are
>>>>>>>>>>>
>>>>>>>>>> located
>>>>>>>
>>>>>>>> on NFS
>>>>>>>>>
>>>>>>>>>> (and root export of NFS is generally not a good idea !).
>>>>>>>>>>>
>>>>>>>>>>> Here is my rsyslog.conf:
>>>>>>>>>>> #LOAD MODULES
>>>>>>>>>>> $ModLoad imudp
>>>>>>>>>>> $UDPServerRun 514
>>>>>>>>>>> $UDPServerAddress 127.0.0.1
>>>>>>>>>>> $ModLoad imtcp
>>>>>>>>>>> $InputTCPServerRun 514
>>>>>>>>>>> #SET DESTINATION FOR LOGS
>>>>>>>>>>> $template
>>>>>>>>>>> DYNmessages,"<PATH_TO>/%****FROMHOST%/%FROMHOST%_%$YEAR%.%****
>>>>>>>>>>> $MONTH%_messages"
>>>>>>>>>>> $template
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>> DYNsecure,"<PATH_TO>/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**
>>>>>>> **$MONTH%_secure"
>>>>>>>
>>>>>>>> $template
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>> DYNmaillog,"<PATH_TO>/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**
>>>>>>> **$MONTH%_maillo
>>>>>>>
>>>>>>>> g"
>>>>>>>>>
>>>>>>>>>> $template
>>>>>>>>>>>
>>>>>>>>>> DYNcron,"<PATH_TO>/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_**
>>>>>>>>> **
>>>>>>>>>
>>>>>>>>>> cron"
>>>>>>>>>>> $template
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>> DYNspooler,"<PATH_TO>/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**
>>>>>>> **$MONTH%_spoole
>>>>>>>
>>>>>>>> r"
>>>>>>>>>
>>>>>>>>>> $template
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>> DYNboot,"<PATH_TO>/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_**
>>>>>>> **boot.log"
>>>>>>>
>>>>>>>> $template
>>>>>>>>>>>
>>>>>>>>>> DYNtraps,"<PATH_TO>/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**
>>>>>>>>> _**
>>>>>>>>>
>>>>>>>>>> traps"
>>>>>>>>>>> #SET LOGGING CONDITIONS
>>>>>>>>>>> if $syslogseverity <= '6' then ?DYNmessages
>>>>>>>>>>> if $syslogfacility-text == 'authpriv' then ?DYNsecure
>>>>>>>>>>> if $syslogfacility-text == 'mail' then ?DYNmaillog
>>>>>>>>>>> if $syslogfacility-text == 'cron' then ?DYNcron
>>>>>>>>>>> if $syslogseverity-text == 'crit' then ?DYNspooler
>>>>>>>>>>> if $syslogfacility-text == 'local7' then ?DYNboot
>>>>>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
>>>>>>>>>>>
>>>>>>>>>> 'WARNING'
>>>>>>>>>
>>>>>>>>>> then ?DYNtraps
>>>>>>>>>>>
>>>>>>>>>>> Here is my logfile when I try to start rsyslog as a non-root
>>>>>>>>>>>
>>>>>>>>>> user:
>>>>>>>
>>>>>>>> 2012-01-31T15:45:52.997693+02:****00 <hostname> rsyslogd: [origin
>>>>>>>>>>> software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-info="
>>>>>>>>>>> http://www.rsyslog.com"] start
>>>>>>>>>>> 2012-01-31T15:45:52.997294+02:****00 <hostname> rsyslogd: bind:
>>>>>>>>>>>
>>>>>>>>>> Permission
>>>>>>>>>
>>>>>>>>>> denied
>>>>>>>>>>> 2012-01-31T15:45:52.997369+02:****00 <hostname> rsyslogd: bind:
>>>>>>>>>>>
>>>>>>>>>> Permission
>>>>>>>>>
>>>>>>>>>> denied
>>>>>>>>>>> 2012-01-31T15:45:52.997374+02:****00 <hostname> rsyslogd: No UDP
>>>>>>>>>>>
>>>>>>>>>> listen
>>>>>>>>>
>>>>>>>>>> socket
>>>>>>>>>>> could successfully be initialized, message reception via UDP
>>>>>>>>>>>
>>>>>>>>>> disabled.
>>>>>>>>>
>>>>>>>>>> 2012-01-31T15:45:52.997376+02:****00 <hostname> rsyslogd: imudp:
>>>>>>>>>>>
>>>>>>>>>> no
>>>>>>>
>>>>>>>> listeners
>>>>>>>>>>> could be started, input not activated.
>>>>>>>>>>> 2012-01-31T15:45:52.997379+02:****00 <hostname> rsyslogd3:
>>>>>>>>>>>
>>>>>>>>>> activation
>>>>>>>
>>>>>>>> of
>>>>>>>>>
>>>>>>>>>> module
>>>>>>>>>>> imudp failed [try http://www.rsyslog.com/e/-3 ]
>>>>>>>>>>> 2012-01-31T15:45:52.997643+02:****00 <hostname> rsyslogd-2077:
>>>>>>>>>>>
>>>>>>>>>> Could
>>>>>>>
>>>>>>>> not
>>>>>>>>>
>>>>>>>>>> create
>>>>>>>>>>> tcp listener, ignoring port 514. [try
>>>>>>>>>>>
>>>>>>>>>> http://www.rsyslog.com/e/2077
>>>>>>>
>>>>>>>> ]
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> So permissions to bind and sockets seems to be the problem...
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> yes, you cannot bind to ports <1024 as a normal user (without
>>>>>>>>>>
>>>>>>>>> making
>>>>>>>
>>>>>>>> some
>>>>>>>>>
>>>>>>>>>> other non-standard changes through sysctl)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 1. Is it possible to make rsyslog write logfiles as a non-root
>>>>>>>>>>
>>>>>>>>> user
>>>>>>>
>>>>>>>> - if
>>>>>>>>>
>>>>>>>>>> yes: how ?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> permission drop features
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 2a. Is it possible to add permissions for non-root user to run
>>>>>>>>>>
>>>>>>>>> rsyslog
>>>>>>>>>
>>>>>>>>>> server - if yes: how ?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> pick a listening port > 1024 and it should work.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 2b. How do I start rsyslog during boot as non-root user - can
>>>>>>>>>>
>>>>>>>>> chkconfig do
>>>>>>>>>
>>>>>>>>>> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> su can run a command as a different user.
>>>>>>>>>>
>>>>>>>>>> although as Rainer points out, you may just be looking for the
>>>>>>>>>>
>>>>>>>>> permission
>>>>>>>>>
>>>>>>>>>> dropping features that are already in rsyslog.
>>>>>>>>>>
>>>>>>>>>> David Lang
>>>>>>>>>>
>>>>>>>>>> ______________________________****_________________
>>>>>>>>>> rsyslog mailing list
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adiscon.net/**mailman/listinfo/rsyslog>
>>>>>>> <http:**//lists.adisco <http://lists.adisco>
>>>>>>>
>>>>>>>> n.net/mailman/listinfo/rsyslog**>
>>>>>>>>>
>>>>>>>>>> http://www.rsyslog.com/****professional-<http://www.rsyslog.com/**professional->
>>>>>>>>>>
>>>>>>>>> services/<http://www.rsyslog.**com/professional-services/<http://www.rsyslog.com/professional-services/>
>>>>>>>>> >
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ______________________________**_________________
>>>>>>>>> rsyslog mailing list
>>>>>>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>>>>>>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>>>>>>>>
>>>>>>>> ______________________________**_________________
>>>>>>>> rsyslog mailing list
>>>>>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>>>>>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>>>>>>>
>>>>>>>> ______________________________**_________________
>>>>>>> rsyslog mailing list
>>>>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>>>>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>>>>>>
>>>>>> ______________________________**_________________
>>>>>> rsyslog mailing list
>>>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>>>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>>>>>
>>>>>>
>>>>>
>>>>> ______________________________**_________________
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>>>
>>>> ______________________________**_________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>>
>>
>>
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

rgerhards at hq

Feb 2, 2012, 11:54 PM

Post #20 of 37 (426 views)
Permalink

Re: rsyslog as non-root user [In reply to]

> -----Original Message-----
> From: rsyslog-bounces [at] lists [mailto:rsyslog-
> bounces [at] lists] On Behalf Of Michael Maymann
> Sent: Friday, February 03, 2012 8:38 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] rsyslog as non-root user
>
> Hi,
>
> forgot to mention, that when i run:
> # /usr/sbin/rsyslogd -c 6
> it does the same thing... (hang+timeout+live
What do you mean with "hang"? I could see no indication of any slowed-down
processing inside the debug log. It may also be useful if you shared the
debug log publically, in case someone else has an idea.

rainer

> init/PrivDropToUser-owned-child-proccess) again only when PrivDropTo is
> enabled in /etc/rsyslog.conf... otherwise working perfectly...
> Would this possibly be solved in yesterdays release: 6.3.7-devel ?
>
> Thanks in advance :-) !
> ~maymann
>
> 2012/2/3 Michael Maymann <michael [at] maymann>
>
> > Hi,
> >
> > David: unfortunately this was not the case...:
> > # cat /etc/sysconfig/selinux
> > # This file controls the state of SELinux on the system.
> > # SELINUX= can take one of these three values:
> > # enforcing - SELinux security policy is enforced.
> > # permissive - SELinux prints warnings instead of enforcing.
> > # disabled - SELinux is fully disabled.
> > SELINUX=disabled
> > # SELINUXTYPE= type of policy in use. Possible values are:
> > # targeted - Only targeted network daemons are protected.
> > # strict - Full SELinux protection.
> > SELINUXTYPE=targeted
> >
> > What else could cause this problem ?
> >
> >
> >
> > Thanks in advance :-) !
> > ~maymann
> >
> > 2012/2/2 Michael Maymann <michael [at] maymann>
> >
> >> Hi,
> >>
> >> David: Thanks for your reply - sounds possible... I will try this
> first
> >> thing tomorrow morning and report back with findings...
> >>
> >> Br.
> >> ~maymann
> >>
> >> 2012/2/2 <david [at] lang>
> >>
> >> On Thu, 2 Feb 2012, Michael Maymann wrote:
> >>>
> >>> Hi Rainer,
> >>>>
> >>>> I really have my doubts it has something to do with my startup
> script:
> >>>> 1. I only changed the exec=/usr/sbin/rsyslogd from default
> >>>> 2. It works perfectly when PrivDropTo is not used in rsyslog.conf.
> >>>>
> >>>> I'm running on RHEL6.1_x64.
> >>>> Do you have a working /etc/init.d/rsyslog what you can share/I can
> >>>> test...?
> >>>>
> >>>
> >>>
> >>> my guess is that this is a SELINUX related problem.
> >>>
> >>> what happens if you try to start rsyslog manually (not by running
> the
> >>> startup script, but just running 'rsyslogd -c 6' "
> >>>
> >>> David Lang
> >>>
> >>>
> >>>
> >>>> Thanks in advance :-) !
> >>>> ~maymann
> >>>>
> >>>> 2012/2/2 Michael Maymann <michael [at] maymann>
> >>>>
> >>>> Hi,
> >>>>>
> >>>>> Rainer: Sorry... forgot to mention that it doesn't say anything
> about
> >>>>> failing in the logs... and it actually doesn't fail... it works
> and
> >>>>> after
> >>>>> the timeout+failed notice only the proccess owned by
> >>>>> PrivDropToUser-USER is
> >>>>> present, but now owned by the init-proccess (mother proccess
> dies):
> >>>>>
> >>>>> # service rsyslog start
> >>>>> Starting system logger:
> [FAILED]
> >>>>>
> >>>>> BEFORE failed status:
> >>>>> root 9126 9125 0 11:07 pts/1 00:00:00
> /usr/sbin/rsyslogd -c 6
> >>>>> <PrivDropToUser-USER> 9131 9126 0 11:07 ? 00:00:00
> >>>>> /usr/sbin/rsyslogd -c 6
> >>>>>
> >>>>> AFTER failed status root-owned proccess is killed and
> >>>>> PrivDropToUser-USER
> >>>>> owned proccess is therefore gets owned by init:
> >>>>> <PrivDropToUser-USER> 9131 1 0 11:07 ? 00:00:00
> >>>>> /usr/sbin/rsyslogd -c 6
> >>>>>
> >>>>> Anyone who can help with this...?:
> >>>>> here is the debug output when starting running the init-script:
> >>>>> #/etc/init.d/rsyslog start
> >>>>> + . /etc/init.d/functions
> >>>>> ++ TEXTDOMAIN=initscripts
> >>>>> ++ umask 022
> >>>>> ++ PATH=/sbin:/usr/sbin:/bin:/**usr/bin
> >>>>> ++ export PATH
> >>>>> ++ '[' -z '' ']'
> >>>>> ++ COLUMNS=80
> >>>>> ++ '[' -z '' ']'
> >>>>> +++ /sbin/consoletype
> >>>>> ++ CONSOLETYPE=pty
> >>>>> ++ '[' -f /etc/sysconfig/i18n -a -z '' -a -z '' ']'
> >>>>> ++ . /etc/profile.d/lang.sh
> >>>>> ++ unset LANGSH_SOURCED
> >>>>> ++ '[' -z '' ']'
> >>>>> ++ '[' -f /etc/sysconfig/init ']'
> >>>>> ++ . /etc/sysconfig/init
> >>>>> +++ BOOTUP=color
> >>>>> +++ RES_COL=60
> >>>>> +++ MOVE_TO_COL='echo -en \033[.60G'
> >>>>> +++ SETCOLOR_SUCCESS='echo -en \033[.0;32m'
> >>>>> +++ SETCOLOR_FAILURE='echo -en \033[.0;31m'
> >>>>> +++ SETCOLOR_WARNING='echo -en \033[.0;33m'
> >>>>> +++ SETCOLOR_NORMAL='echo -en \033[.0;39m'
> >>>>> +++ PROMPT=yes
> >>>>> +++ AUTOSWAP=no
> >>>>> +++ ACTIVE_CONSOLES='/dev/tty[1-6]**'
> >>>>> +++ SINGLE=/sbin/sushell
> >>>>> ++ '[' pty = serial ']'
> >>>>> ++
> >>>>> __sed_discard_ignored_files='/**$~\|\.bak\|\.orig\|\.rpmnew\|**
> >>>>> \.rpmorig\|\.rpmsave$$/d'
> >>>>> + RETVAL=0
> >>>>> + PIDFILE=/var/run/syslogd.pid
> >>>>> + prog=rsyslogd
> >>>>> + exec=/usr/sbin/rsyslogd
> >>>>> + lockfile=/var/lock/subsys/**rsyslogd
> >>>>> + case "$1" in
> >>>>> + start
> >>>>> + '[' -x /usr/sbin/rsyslogd ']'
> >>>>> + '[' -f /etc/sysconfig/rsyslog ']'
> >>>>> + . /etc/sysconfig/rsyslog
> >>>>> ++ SYSLOGD_OPTIONS='-c 6'
> >>>>> + umask 077
> >>>>> + echo -n 'Starting system logger: '
> >>>>> Starting system logger: + daemon --pidfile=/var/run/syslogd.pid
> >>>>> /usr/sbin/rsyslogd -c 6
> >>>>> + local gotbase= force= nicelevel corelimit
> >>>>> + local pid base= user= nice= bg= pid_file=
> >>>>> + local cgroup=
> >>>>> + nicelevel=0
> >>>>> + '[' --pidfile=/var/run/syslogd.pid '!='
> >>>>> -pidfile=/var/run/syslogd.pid ']'
> >>>>> + case $1 in
> >>>>> + pid_file=/var/run/syslogd.pid
> >>>>> + shift
> >>>>> + '[' /usr/sbin/rsyslogd '!=' /usr/sbin/rsyslogd ']'
> >>>>> + '[' -z '' ']'
> >>>>> + base=rsyslogd
> >>>>> + __pids_var_run rsyslogd /var/run/syslogd.pid
> >>>>> + local base=rsyslogd
> >>>>> + local pid_file=/var/run/syslogd.pid
> >>>>> + pid=
> >>>>> + '[' -f /var/run/syslogd.pid ']'
> >>>>> + return 3
> >>>>> + '[' -n '' -a -z '' ']'
> >>>>> + corelimit='ulimit -S -c 0'
> >>>>> + '[' -n '' ']'
> >>>>> + '[' -n '' ']'
> >>>>> + '[' color = verbose -a -z '' ']'
> >>>>> + '[' -z '' ']'
> >>>>> + /bin/bash -c 'ulimit -S -c 0 >/dev/null 2>&1 ;
> /usr/sbin/rsyslogd -c
> >>>>> 6'
> >>>>> ...
> >>>>> (hangs here for a long time)
> >>>>> ...
> >>>>> + '[' 1 -eq 0 ']'
> >>>>> + failure 'rsyslogd startup'
> >>>>> + local rc=1
> >>>>> + '[' color '!=' verbose -a -z '' ']'
> >>>>> + echo_failure
> >>>>> + '[' color = color ']'
> >>>>> + echo -en '\033[60G'
> >>>>> + echo
> -n '['
> >>>>> [+ '[' color = color ']'
> >>>>> + echo -en '\033[.0;31m'
> >>>>> + echo -n FAILED
> >>>>> FAILED+ '[' color = color ']'
> >>>>> + echo -en '\033[0;39m'
> >>>>> + echo -n ']'
> >>>>> ]+ echo -ne '\r'
> >>>>> + return 1
> >>>>> + '[' -x /usr/bin/plymouth ']'
> >>>>> + /usr/bin/plymouth --details
> >>>>> + return 1
> >>>>> + RETVAL=1
> >>>>> + echo
> >>>>>
> >>>>> + '[' 1 -eq 0 ']'
> >>>>> + return 1
> >>>>> + exit 1
> >>>>>
> >>>>> I have tried to give 777-access to /var/run and /var/lock/subsys
> - but
> >>>>> same thing happens...
> >>>>>
> >>>>>
> >>>>>
> >>>>> Thanks in advance :-) !
> >>>>>
> >>>>> Br.
> >>>>> ~maymann
> >>>>>
> >>>>>
> >>>>>
> >>>>> 2012/2/2 Rainer Gerhards <rgerhards [at] hq>
> >>>>>
> >>>>> I can only help you with that part if you point me to why
> exactly the
> >>>>>> script
> >>>>>> claims what it does. So you may want to try find someone who can
> do
> >>>>>> that.
> >>>>>> I
> >>>>>> know this is probably a trivial question, but I don't know
> anything ;)
> >>>>>>
> >>>>>> Sry, rainer
> >>>>>>
> >>>>>> -----Original Message-----
> >>>>>>> From: rsyslog-bounces [at] lists**com<rsyslog-
> bounces [at] lists>[mailto:
> >>>>>>> rsyslog-
> >>>>>>> bounces [at] lists] On Behalf Of Michael Maymann
> >>>>>>> Sent: Thursday, February 02, 2012 10:03 AM
> >>>>>>> To: rsyslog-users
> >>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user
> >>>>>>>
> >>>>>>> Here is my startup script... only thing changed is the path to
> the
> >>>>>>> new
> >>>>>>> 6.3.6-rsyslog-devel binary.
> >>>>>>> The startup-scripts works also perfectly when i comment out the
> >>>>>>> PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but
> failes if i
> >>>>>>> have
> >>>>>>> both or one of the entries...:
> >>>>>>> #!/bin/bash
> >>>>>>> #
> >>>>>>> # rsyslog Starts rsyslogd/rklogd.
> >>>>>>> #
> >>>>>>> #
> >>>>>>> # chkconfig: 2345 12 88
> >>>>>>> # description: Syslog is the facility by which many daemons use
> to
> >>>>>>> log
> >>>>>>> \
> >>>>>>> # messages to various system log files. It is a good idea to
> always
> >>>>>>> \
> >>>>>>> # run rsyslog.
> >>>>>>> ### BEGIN INIT INFO
> >>>>>>> # Provides: $syslog
> >>>>>>> # Required-Start: $local_fs
> >>>>>>> # Required-Stop: $local_fs
> >>>>>>> # Default-Start: 2 3 4 5
> >>>>>>> # Default-Stop: 0 1 6
> >>>>>>> # Short-Description: Enhanced system logging and kernel message
> >>>>>>> trapping
> >>>>>>> daemons
> >>>>>>> # Description: Rsyslog is an enhanced multi-threaded syslogd
> >>>>>>> supporting,
> >>>>>>> # among others, MySQL, syslog/tcp, RFC 3195,
> permitted
> >>>>>>> # sender lists, filtering on any message part, and
> fine
> >>>>>>> # grain output format control.
> >>>>>>> ### END INIT INFO
> >>>>>>>
> >>>>>>> # Source function library.
> >>>>>>> . /etc/init.d/functions
> >>>>>>>
> >>>>>>> RETVAL=0
> >>>>>>> PIDFILE=/var/run/syslogd.pid
> >>>>>>>
> >>>>>>> prog=rsyslogd
> >>>>>>> #exec=/sbin/rsyslogd
> >>>>>>> exec=/usr/sbin/rsyslogd
> >>>>>>> lockfile=/var/lock/subsys/$**prog
> >>>>>>>
> >>>>>>> start() {
> >>>>>>> [ -x $exec ] || exit 5
> >>>>>>>
> >>>>>>> # Source config
> >>>>>>> if [ -f /etc/sysconfig/rsyslog ] ; then
> >>>>>>> . /etc/sysconfig/rsyslog
> >>>>>>> fi
> >>>>>>> umask 077
> >>>>>>>
> >>>>>>> echo -n $"Starting system logger: "
> >>>>>>> daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS
> >>>>>>> RETVAL=$?
> >>>>>>> echo
> >>>>>>> [ $RETVAL -eq 0 ] && touch $lockfile
> >>>>>>> return $RETVAL
> >>>>>>> }
> >>>>>>> stop() {
> >>>>>>> echo -n $"Shutting down system logger: "
> >>>>>>> killproc $prog
> >>>>>>> RETVAL=$?
> >>>>>>> echo
> >>>>>>> [ $RETVAL -eq 0 ] && rm -f $lockfile
> >>>>>>> return $RETVAL
> >>>>>>> }
> >>>>>>> reload() {
> >>>>>>> RETVAL=1
> >>>>>>> syslog=$(cat "${PIDFILE}" 2>/dev/null)
> >>>>>>> echo -n "Reloading system logger..."
> >>>>>>> if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then
> >>>>>>> kill -HUP "$syslog";
> >>>>>>> RETVAL=$?
> >>>>>>> fi
> >>>>>>> if [ $RETVAL -ne 0 ]; then
> >>>>>>> failure
> >>>>>>> else
> >>>>>>> success
> >>>>>>> fi
> >>>>>>> echo
> >>>>>>> return $RETVAL
> >>>>>>> }
> >>>>>>> rhstatus() {
> >>>>>>> status -p "${PIDFILE}" $prog
> >>>>>>> }
> >>>>>>> restart() {
> >>>>>>> stop
> >>>>>>> start
> >>>>>>> }
> >>>>>>>
> >>>>>>> case "$1" in
> >>>>>>> start)
> >>>>>>> start
> >>>>>>> ;;
> >>>>>>> stop)
> >>>>>>> stop
> >>>>>>> ;;
> >>>>>>> restart)
> >>>>>>> restart
> >>>>>>> ;;
> >>>>>>> reload|force-reload)
> >>>>>>> reload
> >>>>>>> ;;
> >>>>>>> status)
> >>>>>>> rhstatus
> >>>>>>> ;;
> >>>>>>> condrestart|try-restart)
> >>>>>>> rhstatus >/dev/null 2>&1 || exit 0
> >>>>>>> restart
> >>>>>>> ;;
> >>>>>>> *)
> >>>>>>> echo $"Usage: $0
> >>>>>>> {start|stop|restart|**condrestart|try-restart|**reload|force-
> >>>>>>> reload|status}"
> >>>>>>> exit 2
> >>>>>>> esac
> >>>>>>>
> >>>>>>> exit $?
> >>>>>>>
> >>>>>>> 2012/2/2 Rainer Gerhards <rgerhards [at] hq>
> >>>>>>>
> >>>>>>>
> >>>>>>>>
> >>>>>>>> -----Original Message-----
> >>>>>>>>> From: rsyslog-bounces [at] lists**com<rsyslog-
> bounces [at] lists>[mailto:
> >>>>>>>>> rsyslog-
> >>>>>>>>> bounces [at] lists] On Behalf Of Michael Maymann
> >>>>>>>>> Sent: Wednesday, February 01, 2012 9:08 AM
> >>>>>>>>> To: rsyslog-users
> >>>>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user
> >>>>>>>>>
> >>>>>>>>> Hi,
> >>>>>>>>>
> >>>>>>>>> David: thanks - got it working with permission dropping, by
> far my
> >>>>>>>>> prefered
> >>>>>>>>> configuration... just didn't know of it...:-) !
> >>>>>>>>> Rainer: please let us know if the debug info of the
> "permission
> >>>>>>>>> dropping:
> >>>>>>>>> hang+timeout" I send you can solve anything... anyway it
> works now
> >>>>>>>>>
> >>>>>>>> -
> >>>>>>>
> >>>>>>>> but
> >>>>>>>>> not optimal if other people have to service my setup...:-) !
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>> I have reviewed the debug log and I see nothing unexpected.
> From the
> >>>>>>>> timestamps I also see that there is no hang whatsoever. So it
> looks
> >>>>>>>>
> >>>>>>> like
> >>>>>>>
> >>>>>>>> there is some problem with the startup script, which I don't
> know. I
> >>>>>>>> suggest
> >>>>>>>> to ask what the FAILED status is caused by. We can then look
> why
> >>>>>>>> this
> >>>>>>>> happens.
> >>>>>>>>
> >>>>>>>> Sorry I have no better answer...
> >>>>>>>> Rainer
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>> Thanks in advance :-) !
> >>>>>>>>> ~maymann
> >>>>>>>>>
> >>>>>>>>> 2012/2/1 <david [at] lang>
> >>>>>>>>>
> >>>>>>>>> On Tue, 31 Jan 2012, Michael Maymann wrote:
> >>>>>>>>>>
> >>>>>>>>>> Hi,
> >>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> I have now setup a 6.3.6-devel rsyslog server that is
> working
> >>>>>>>>>>>
> >>>>>>>>>> fine
> >>>>>>>
> >>>>>>>> running
> >>>>>>>>>
> >>>>>>>>>> as root.
> >>>>>>>>>>> I would like to run it as non-root user as my logfiles are
> >>>>>>>>>>>
> >>>>>>>>>> located
> >>>>>>>
> >>>>>>>> on NFS
> >>>>>>>>>
> >>>>>>>>>> (and root export of NFS is generally not a good idea !).
> >>>>>>>>>>>
> >>>>>>>>>>> Here is my rsyslog.conf:
> >>>>>>>>>>> #LOAD MODULES
> >>>>>>>>>>> $ModLoad imudp
> >>>>>>>>>>> $UDPServerRun 514
> >>>>>>>>>>> $UDPServerAddress 127.0.0.1
> >>>>>>>>>>> $ModLoad imtcp
> >>>>>>>>>>> $InputTCPServerRun 514
> >>>>>>>>>>> #SET DESTINATION FOR LOGS
> >>>>>>>>>>> $template
> >>>>>>>>>>>
> DYNmessages,"<PATH_TO>/%****FROMHOST%/%FROMHOST%_%$YEAR%.%****
> >>>>>>>>>>> $MONTH%_messages"
> >>>>>>>>>>> $template
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>> DYNsecure,"<PATH_TO>/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**
> >>>>>>> **$MONTH%_secure"
> >>>>>>>
> >>>>>>>> $template
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>> DYNmaillog,"<PATH_TO>/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**
> >>>>>>> **$MONTH%_maillo
> >>>>>>>
> >>>>>>>> g"
> >>>>>>>>>
> >>>>>>>>>> $template
> >>>>>>>>>>>
> >>>>>>>>>>
> DYNcron,"<PATH_TO>/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_**
> >>>>>>>>> **
> >>>>>>>>>
> >>>>>>>>>> cron"
> >>>>>>>>>>> $template
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>> DYNspooler,"<PATH_TO>/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**
> >>>>>>> **$MONTH%_spoole
> >>>>>>>
> >>>>>>>> r"
> >>>>>>>>>
> >>>>>>>>>> $template
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>
> DYNboot,"<PATH_TO>/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_**
> >>>>>>> **boot.log"
> >>>>>>>
> >>>>>>>> $template
> >>>>>>>>>>>
> >>>>>>>>>>
> DYNtraps,"<PATH_TO>/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**
> >>>>>>>>> _**
> >>>>>>>>>
> >>>>>>>>>> traps"
> >>>>>>>>>>> #SET LOGGING CONDITIONS
> >>>>>>>>>>> if $syslogseverity <= '6' then ?DYNmessages
> >>>>>>>>>>> if $syslogfacility-text == 'authpriv' then ?DYNsecure
> >>>>>>>>>>> if $syslogfacility-text == 'mail' then ?DYNmaillog
> >>>>>>>>>>> if $syslogfacility-text == 'cron' then ?DYNcron
> >>>>>>>>>>> if $syslogseverity-text == 'crit' then ?DYNspooler
> >>>>>>>>>>> if $syslogfacility-text == 'local7' then ?DYNboot
> >>>>>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-
> text ==
> >>>>>>>>>>>
> >>>>>>>>>> 'WARNING'
> >>>>>>>>>
> >>>>>>>>>> then ?DYNtraps
> >>>>>>>>>>>
> >>>>>>>>>>> Here is my logfile when I try to start rsyslog as a non-
> root
> >>>>>>>>>>>
> >>>>>>>>>> user:
> >>>>>>>
> >>>>>>>> 2012-01-31T15:45:52.997693+02:****00 <hostname> rsyslogd:
> [origin
> >>>>>>>>>>> software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-
> info="
> >>>>>>>>>>> http://www.rsyslog.com"] start
> >>>>>>>>>>> 2012-01-31T15:45:52.997294+02:****00 <hostname> rsyslogd:
> bind:
> >>>>>>>>>>>
> >>>>>>>>>> Permission
> >>>>>>>>>
> >>>>>>>>>> denied
> >>>>>>>>>>> 2012-01-31T15:45:52.997369+02:****00 <hostname> rsyslogd:
> bind:
> >>>>>>>>>>>
> >>>>>>>>>> Permission
> >>>>>>>>>
> >>>>>>>>>> denied
> >>>>>>>>>>> 2012-01-31T15:45:52.997374+02:****00 <hostname> rsyslogd:
> No UDP
> >>>>>>>>>>>
> >>>>>>>>>> listen
> >>>>>>>>>
> >>>>>>>>>> socket
> >>>>>>>>>>> could successfully be initialized, message reception via
> UDP
> >>>>>>>>>>>
> >>>>>>>>>> disabled.
> >>>>>>>>>
> >>>>>>>>>> 2012-01-31T15:45:52.997376+02:****00 <hostname> rsyslogd:
> imudp:
> >>>>>>>>>>>
> >>>>>>>>>> no
> >>>>>>>
> >>>>>>>> listeners
> >>>>>>>>>>> could be started, input not activated.
> >>>>>>>>>>> 2012-01-31T15:45:52.997379+02:****00 <hostname> rsyslogd3:
> >>>>>>>>>>>
> >>>>>>>>>> activation
> >>>>>>>
> >>>>>>>> of
> >>>>>>>>>
> >>>>>>>>>> module
> >>>>>>>>>>> imudp failed [try http://www.rsyslog.com/e/-3 ]
> >>>>>>>>>>> 2012-01-31T15:45:52.997643+02:****00 <hostname> rsyslogd-
> 2077:
> >>>>>>>>>>>
> >>>>>>>>>> Could
> >>>>>>>
> >>>>>>>> not
> >>>>>>>>>
> >>>>>>>>>> create
> >>>>>>>>>>> tcp listener, ignoring port 514. [try
> >>>>>>>>>>>
> >>>>>>>>>> http://www.rsyslog.com/e/2077
> >>>>>>>
> >>>>>>>> ]
> >>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>> So permissions to bind and sockets seems to be the
> problem...
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>> yes, you cannot bind to ports <1024 as a normal user
> (without
> >>>>>>>>>>
> >>>>>>>>> making
> >>>>>>>
> >>>>>>>> some
> >>>>>>>>>
> >>>>>>>>>> other non-standard changes through sysctl)
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> 1. Is it possible to make rsyslog write logfiles as a non-
> root
> >>>>>>>>>>
> >>>>>>>>> user
> >>>>>>>
> >>>>>>>> - if
> >>>>>>>>>
> >>>>>>>>>> yes: how ?
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>> permission drop features
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> 2a. Is it possible to add permissions for non-root user to
> run
> >>>>>>>>>>
> >>>>>>>>> rsyslog
> >>>>>>>>>
> >>>>>>>>>> server - if yes: how ?
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>> pick a listening port > 1024 and it should work.
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> 2b. How do I start rsyslog during boot as non-root user -
> can
> >>>>>>>>>>
> >>>>>>>>> chkconfig do
> >>>>>>>>>
> >>>>>>>>>> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ?
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>> su can run a command as a different user.
> >>>>>>>>>>
> >>>>>>>>>> although as Rainer points out, you may just be looking for
> the
> >>>>>>>>>>
> >>>>>>>>> permission
> >>>>>>>>>
> >>>>>>>>>> dropping features that are already in rsyslog.
> >>>>>>>>>>
> >>>>>>>>>> David Lang
> >>>>>>>>>>
> >>>>>>>>>> ______________________________****_________________
> >>>>>>>>>> rsyslog mailing list
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adis
> con.net/**mailman/listinfo/rsyslog>
> >>>>>>> <http:**//lists.adisco <http://lists.adisco>
> >>>>>>>
> >>>>>>>> n.net/mailman/listinfo/rsyslog**>
> >>>>>>>>>
> >>>>>>>>>> http://www.rsyslog.com/****professional-
> <http://www.rsyslog.com/**professional->
> >>>>>>>>>>
> >>>>>>>>> services/<http://www.rsyslog.**com/professional-
> services/<http://www.rsyslog.com/professional-services/>
> >>>>>>>>> >
> >>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> ______________________________**_________________
> >>>>>>>>> rsyslog mailing list
> >>>>>>>>>
> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
> n.net/mailman/listinfo/rsyslog>
> >>>>>>>>> http://www.rsyslog.com/**professional-
> services/<http://www.rsyslog.com/professional-services/>
> >>>>>>>>>
> >>>>>>>> ______________________________**_________________
> >>>>>>>> rsyslog mailing list
> >>>>>>>>
> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
> n.net/mailman/listinfo/rsyslog>
> >>>>>>>> http://www.rsyslog.com/**professional-
> services/<http://www.rsyslog.com/professional-services/>
> >>>>>>>>
> >>>>>>>> ______________________________**_________________
> >>>>>>> rsyslog mailing list
> >>>>>>>
> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
> n.net/mailman/listinfo/rsyslog>
> >>>>>>> http://www.rsyslog.com/**professional-
> services/<http://www.rsyslog.com/professional-services/>
> >>>>>>>
> >>>>>> ______________________________**_________________
> >>>>>> rsyslog mailing list
> >>>>>>
> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
> n.net/mailman/listinfo/rsyslog>
> >>>>>> http://www.rsyslog.com/**professional-
> services/<http://www.rsyslog.com/professional-services/>
> >>>>>>
> >>>>>>
> >>>>>
> >>>>> ______________________________**_________________
> >>>> rsyslog mailing list
> >>>>
> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
> n.net/mailman/listinfo/rsyslog>
> >>>> http://www.rsyslog.com/**professional-
> services/<http://www.rsyslog.com/professional-services/>
> >>>>
> >>>> ______________________________**_________________
> >>> rsyslog mailing list
> >>>
> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
> n.net/mailman/listinfo/rsyslog>
> >>> http://www.rsyslog.com/**professional-
> services/<http://www.rsyslog.com/professional-services/>
> >>>
> >>
> >>
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

michael at maymann

Feb 3, 2012, 12:23 AM

Post #21 of 37 (427 views)
Permalink

Re: rsyslog as non-root user [In reply to]

Hi,

I have attached debug info both when PrivDropTo is enabled and disabled.
Only difference I can see is the 5 minutes it takes for the
PrivDropTo_enabled run to timeout (motherproccess dies and childproccess
thereby gets owned by init)...

Hopefully someone can see something more...:-) !

Thanks in advance :-) !
~maymann

2012/2/3 Rainer Gerhards <rgerhards [at] hq>

> > -----Original Message-----
> > From: rsyslog-bounces [at] lists [mailto:rsyslog-
> > bounces [at] lists] On Behalf Of Michael Maymann
> > Sent: Friday, February 03, 2012 8:38 AM
> > To: rsyslog-users
> > Subject: Re: [rsyslog] rsyslog as non-root user
> >
> > Hi,
> >
> > forgot to mention, that when i run:
> > # /usr/sbin/rsyslogd -c 6
> > it does the same thing... (hang+timeout+live
> What do you mean with "hang"? I could see no indication of any slowed-down
> processing inside the debug log. It may also be useful if you shared the
> debug log publically, in case someone else has an idea.
>
> rainer
>
> > init/PrivDropToUser-owned-child-proccess) again only when PrivDropTo is
> > enabled in /etc/rsyslog.conf... otherwise working perfectly...
> > Would this possibly be solved in yesterdays release: 6.3.7-devel ?
> >
> > Thanks in advance :-) !
> > ~maymann
> >
> > 2012/2/3 Michael Maymann <michael [at] maymann>
> >
> > > Hi,
> > >
> > > David: unfortunately this was not the case...:
> > > # cat /etc/sysconfig/selinux
> > > # This file controls the state of SELinux on the system.
> > > # SELINUX= can take one of these three values:
> > > # enforcing - SELinux security policy is enforced.
> > > # permissive - SELinux prints warnings instead of enforcing.
> > > # disabled - SELinux is fully disabled.
> > > SELINUX=disabled
> > > # SELINUXTYPE= type of policy in use. Possible values are:
> > > # targeted - Only targeted network daemons are protected.
> > > # strict - Full SELinux protection.
> > > SELINUXTYPE=targeted
> > >
> > > What else could cause this problem ?
> > >
> > >
> > >
> > > Thanks in advance :-) !
> > > ~maymann
> > >
> > > 2012/2/2 Michael Maymann <michael [at] maymann>
> > >
> > >> Hi,
> > >>
> > >> David: Thanks for your reply - sounds possible... I will try this
> > first
> > >> thing tomorrow morning and report back with findings...
> > >>
> > >> Br.
> > >> ~maymann
> > >>
> > >> 2012/2/2 <david [at] lang>
> > >>
> > >> On Thu, 2 Feb 2012, Michael Maymann wrote:
> > >>>
> > >>> Hi Rainer,
> > >>>>
> > >>>> I really have my doubts it has something to do with my startup
> > script:
> > >>>> 1. I only changed the exec=/usr/sbin/rsyslogd from default
> > >>>> 2. It works perfectly when PrivDropTo is not used in rsyslog.conf.
> > >>>>
> > >>>> I'm running on RHEL6.1_x64.
> > >>>> Do you have a working /etc/init.d/rsyslog what you can share/I can
> > >>>> test...?
> > >>>>
> > >>>
> > >>>
> > >>> my guess is that this is a SELINUX related problem.
> > >>>
> > >>> what happens if you try to start rsyslog manually (not by running
> > the
> > >>> startup script, but just running 'rsyslogd -c 6' "
> > >>>
> > >>> David Lang
> > >>>
> > >>>
> > >>>
> > >>>> Thanks in advance :-) !
> > >>>> ~maymann
> > >>>>
> > >>>> 2012/2/2 Michael Maymann <michael [at] maymann>
> > >>>>
> > >>>> Hi,
> > >>>>>
> > >>>>> Rainer: Sorry... forgot to mention that it doesn't say anything
> > about
> > >>>>> failing in the logs... and it actually doesn't fail... it works
> > and
> > >>>>> after
> > >>>>> the timeout+failed notice only the proccess owned by
> > >>>>> PrivDropToUser-USER is
> > >>>>> present, but now owned by the init-proccess (mother proccess
> > dies):
> > >>>>>
> > >>>>> # service rsyslog start
> > >>>>> Starting system logger:
> > [FAILED]
> > >>>>>
> > >>>>> BEFORE failed status:
> > >>>>> root 9126 9125 0 11:07 pts/1 00:00:00
> > /usr/sbin/rsyslogd -c 6
> > >>>>> <PrivDropToUser-USER> 9131 9126 0 11:07 ? 00:00:00
> > >>>>> /usr/sbin/rsyslogd -c 6
> > >>>>>
> > >>>>> AFTER failed status root-owned proccess is killed and
> > >>>>> PrivDropToUser-USER
> > >>>>> owned proccess is therefore gets owned by init:
> > >>>>> <PrivDropToUser-USER> 9131 1 0 11:07 ? 00:00:00
> > >>>>> /usr/sbin/rsyslogd -c 6
> > >>>>>
> > >>>>> Anyone who can help with this...?:
> > >>>>> here is the debug output when starting running the init-script:
> > >>>>> #/etc/init.d/rsyslog start
> > >>>>> + . /etc/init.d/functions
> > >>>>> ++ TEXTDOMAIN=initscripts
> > >>>>> ++ umask 022
> > >>>>> ++ PATH=/sbin:/usr/sbin:/bin:/**usr/bin
> > >>>>> ++ export PATH
> > >>>>> ++ '[' -z '' ']'
> > >>>>> ++ COLUMNS=80
> > >>>>> ++ '[' -z '' ']'
> > >>>>> +++ /sbin/consoletype
> > >>>>> ++ CONSOLETYPE=pty
> > >>>>> ++ '[' -f /etc/sysconfig/i18n -a -z '' -a -z '' ']'
> > >>>>> ++ . /etc/profile.d/lang.sh
> > >>>>> ++ unset LANGSH_SOURCED
> > >>>>> ++ '[' -z '' ']'
> > >>>>> ++ '[' -f /etc/sysconfig/init ']'
> > >>>>> ++ . /etc/sysconfig/init
> > >>>>> +++ BOOTUP=color
> > >>>>> +++ RES_COL=60
> > >>>>> +++ MOVE_TO_COL='echo -en \033[.60G'
> > >>>>> +++ SETCOLOR_SUCCESS='echo -en \033[.0;32m'
> > >>>>> +++ SETCOLOR_FAILURE='echo -en \033[.0;31m'
> > >>>>> +++ SETCOLOR_WARNING='echo -en \033[.0;33m'
> > >>>>> +++ SETCOLOR_NORMAL='echo -en \033[.0;39m'
> > >>>>> +++ PROMPT=yes
> > >>>>> +++ AUTOSWAP=no
> > >>>>> +++ ACTIVE_CONSOLES='/dev/tty[1-6]**'
> > >>>>> +++ SINGLE=/sbin/sushell
> > >>>>> ++ '[' pty = serial ']'
> > >>>>> ++
> > >>>>> __sed_discard_ignored_files='/**$~\|\.bak\|\.orig\|\.rpmnew\|**
> > >>>>> \.rpmorig\|\.rpmsave$$/d'
> > >>>>> + RETVAL=0
> > >>>>> + PIDFILE=/var/run/syslogd.pid
> > >>>>> + prog=rsyslogd
> > >>>>> + exec=/usr/sbin/rsyslogd
> > >>>>> + lockfile=/var/lock/subsys/**rsyslogd
> > >>>>> + case "$1" in
> > >>>>> + start
> > >>>>> + '[' -x /usr/sbin/rsyslogd ']'
> > >>>>> + '[' -f /etc/sysconfig/rsyslog ']'
> > >>>>> + . /etc/sysconfig/rsyslog
> > >>>>> ++ SYSLOGD_OPTIONS='-c 6'
> > >>>>> + umask 077
> > >>>>> + echo -n 'Starting system logger: '
> > >>>>> Starting system logger: + daemon --pidfile=/var/run/syslogd.pid
> > >>>>> /usr/sbin/rsyslogd -c 6
> > >>>>> + local gotbase= force= nicelevel corelimit
> > >>>>> + local pid base= user= nice= bg= pid_file=
> > >>>>> + local cgroup=
> > >>>>> + nicelevel=0
> > >>>>> + '[' --pidfile=/var/run/syslogd.pid '!='
> > >>>>> -pidfile=/var/run/syslogd.pid ']'
> > >>>>> + case $1 in
> > >>>>> + pid_file=/var/run/syslogd.pid
> > >>>>> + shift
> > >>>>> + '[' /usr/sbin/rsyslogd '!=' /usr/sbin/rsyslogd ']'
> > >>>>> + '[' -z '' ']'
> > >>>>> + base=rsyslogd
> > >>>>> + __pids_var_run rsyslogd /var/run/syslogd.pid
> > >>>>> + local base=rsyslogd
> > >>>>> + local pid_file=/var/run/syslogd.pid
> > >>>>> + pid=
> > >>>>> + '[' -f /var/run/syslogd.pid ']'
> > >>>>> + return 3
> > >>>>> + '[' -n '' -a -z '' ']'
> > >>>>> + corelimit='ulimit -S -c 0'
> > >>>>> + '[' -n '' ']'
> > >>>>> + '[' -n '' ']'
> > >>>>> + '[' color = verbose -a -z '' ']'
> > >>>>> + '[' -z '' ']'
> > >>>>> + /bin/bash -c 'ulimit -S -c 0 >/dev/null 2>&1 ;
> > /usr/sbin/rsyslogd -c
> > >>>>> 6'
> > >>>>> ...
> > >>>>> (hangs here for a long time)
> > >>>>> ...
> > >>>>> + '[' 1 -eq 0 ']'
> > >>>>> + failure 'rsyslogd startup'
> > >>>>> + local rc=1
> > >>>>> + '[' color '!=' verbose -a -z '' ']'
> > >>>>> + echo_failure
> > >>>>> + '[' color = color ']'
> > >>>>> + echo -en '\033[60G'
> > >>>>> + echo
> > -n '['
> > >>>>> [+ '[' color = color ']'
> > >>>>> + echo -en '\033[.0;31m'
> > >>>>> + echo -n FAILED
> > >>>>> FAILED+ '[' color = color ']'
> > >>>>> + echo -en '\033[0;39m'
> > >>>>> + echo -n ']'
> > >>>>> ]+ echo -ne '\r'
> > >>>>> + return 1
> > >>>>> + '[' -x /usr/bin/plymouth ']'
> > >>>>> + /usr/bin/plymouth --details
> > >>>>> + return 1
> > >>>>> + RETVAL=1
> > >>>>> + echo
> > >>>>>
> > >>>>> + '[' 1 -eq 0 ']'
> > >>>>> + return 1
> > >>>>> + exit 1
> > >>>>>
> > >>>>> I have tried to give 777-access to /var/run and /var/lock/subsys
> > - but
> > >>>>> same thing happens...
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>> Thanks in advance :-) !
> > >>>>>
> > >>>>> Br.
> > >>>>> ~maymann
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>> 2012/2/2 Rainer Gerhards <rgerhards [at] hq>
> > >>>>>
> > >>>>> I can only help you with that part if you point me to why
> > exactly the
> > >>>>>> script
> > >>>>>> claims what it does. So you may want to try find someone who can
> > do
> > >>>>>> that.
> > >>>>>> I
> > >>>>>> know this is probably a trivial question, but I don't know
> > anything ;)
> > >>>>>>
> > >>>>>> Sry, rainer
> > >>>>>>
> > >>>>>> -----Original Message-----
> > >>>>>>> From: rsyslog-bounces [at] lists**com<rsyslog-
> > bounces [at] lists>[mailto:
> > >>>>>>> rsyslog-
> > >>>>>>> bounces [at] lists] On Behalf Of Michael Maymann
> > >>>>>>> Sent: Thursday, February 02, 2012 10:03 AM
> > >>>>>>> To: rsyslog-users
> > >>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user
> > >>>>>>>
> > >>>>>>> Here is my startup script... only thing changed is the path to
> > the
> > >>>>>>> new
> > >>>>>>> 6.3.6-rsyslog-devel binary.
> > >>>>>>> The startup-scripts works also perfectly when i comment out the
> > >>>>>>> PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but
> > failes if i
> > >>>>>>> have
> > >>>>>>> both or one of the entries...:
> > >>>>>>> #!/bin/bash
> > >>>>>>> #
> > >>>>>>> # rsyslog Starts rsyslogd/rklogd.
> > >>>>>>> #
> > >>>>>>> #
> > >>>>>>> # chkconfig: 2345 12 88
> > >>>>>>> # description: Syslog is the facility by which many daemons use
> > to
> > >>>>>>> log
> > >>>>>>> \
> > >>>>>>> # messages to various system log files. It is a good idea to
> > always
> > >>>>>>> \
> > >>>>>>> # run rsyslog.
> > >>>>>>> ### BEGIN INIT INFO
> > >>>>>>> # Provides: $syslog
> > >>>>>>> # Required-Start: $local_fs
> > >>>>>>> # Required-Stop: $local_fs
> > >>>>>>> # Default-Start: 2 3 4 5
> > >>>>>>> # Default-Stop: 0 1 6
> > >>>>>>> # Short-Description: Enhanced system logging and kernel message
> > >>>>>>> trapping
> > >>>>>>> daemons
> > >>>>>>> # Description: Rsyslog is an enhanced multi-threaded syslogd
> > >>>>>>> supporting,
> > >>>>>>> # among others, MySQL, syslog/tcp, RFC 3195,
> > permitted
> > >>>>>>> # sender lists, filtering on any message part, and
> > fine
> > >>>>>>> # grain output format control.
> > >>>>>>> ### END INIT INFO
> > >>>>>>>
> > >>>>>>> # Source function library.
> > >>>>>>> . /etc/init.d/functions
> > >>>>>>>
> > >>>>>>> RETVAL=0
> > >>>>>>> PIDFILE=/var/run/syslogd.pid
> > >>>>>>>
> > >>>>>>> prog=rsyslogd
> > >>>>>>> #exec=/sbin/rsyslogd
> > >>>>>>> exec=/usr/sbin/rsyslogd
> > >>>>>>> lockfile=/var/lock/subsys/$**prog
> > >>>>>>>
> > >>>>>>> start() {
> > >>>>>>> [ -x $exec ] || exit 5
> > >>>>>>>
> > >>>>>>> # Source config
> > >>>>>>> if [ -f /etc/sysconfig/rsyslog ] ; then
> > >>>>>>> . /etc/sysconfig/rsyslog
> > >>>>>>> fi
> > >>>>>>> umask 077
> > >>>>>>>
> > >>>>>>> echo -n $"Starting system logger: "
> > >>>>>>> daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS
> > >>>>>>> RETVAL=$?
> > >>>>>>> echo
> > >>>>>>> [ $RETVAL -eq 0 ] && touch $lockfile
> > >>>>>>> return $RETVAL
> > >>>>>>> }
> > >>>>>>> stop() {
> > >>>>>>> echo -n $"Shutting down system logger: "
> > >>>>>>> killproc $prog
> > >>>>>>> RETVAL=$?
> > >>>>>>> echo
> > >>>>>>> [ $RETVAL -eq 0 ] && rm -f $lockfile
> > >>>>>>> return $RETVAL
> > >>>>>>> }
> > >>>>>>> reload() {
> > >>>>>>> RETVAL=1
> > >>>>>>> syslog=$(cat "${PIDFILE}" 2>/dev/null)
> > >>>>>>> echo -n "Reloading system logger..."
> > >>>>>>> if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then
> > >>>>>>> kill -HUP "$syslog";
> > >>>>>>> RETVAL=$?
> > >>>>>>> fi
> > >>>>>>> if [ $RETVAL -ne 0 ]; then
> > >>>>>>> failure
> > >>>>>>> else
> > >>>>>>> success
> > >>>>>>> fi
> > >>>>>>> echo
> > >>>>>>> return $RETVAL
> > >>>>>>> }
> > >>>>>>> rhstatus() {
> > >>>>>>> status -p "${PIDFILE}" $prog
> > >>>>>>> }
> > >>>>>>> restart() {
> > >>>>>>> stop
> > >>>>>>> start
> > >>>>>>> }
> > >>>>>>>
> > >>>>>>> case "$1" in
> > >>>>>>> start)
> > >>>>>>> start
> > >>>>>>> ;;
> > >>>>>>> stop)
> > >>>>>>> stop
> > >>>>>>> ;;
> > >>>>>>> restart)
> > >>>>>>> restart
> > >>>>>>> ;;
> > >>>>>>> reload|force-reload)
> > >>>>>>> reload
> > >>>>>>> ;;
> > >>>>>>> status)
> > >>>>>>> rhstatus
> > >>>>>>> ;;
> > >>>>>>> condrestart|try-restart)
> > >>>>>>> rhstatus >/dev/null 2>&1 || exit 0
> > >>>>>>> restart
> > >>>>>>> ;;
> > >>>>>>> *)
> > >>>>>>> echo $"Usage: $0
> > >>>>>>> {start|stop|restart|**condrestart|try-restart|**reload|force-
> > >>>>>>> reload|status}"
> > >>>>>>> exit 2
> > >>>>>>> esac
> > >>>>>>>
> > >>>>>>> exit $?
> > >>>>>>>
> > >>>>>>> 2012/2/2 Rainer Gerhards <rgerhards [at] hq>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>>
> > >>>>>>>> -----Original Message-----
> > >>>>>>>>> From: rsyslog-bounces [at] lists**com<rsyslog-
> > bounces [at] lists>[mailto:
> > >>>>>>>>> rsyslog-
> > >>>>>>>>> bounces [at] lists] On Behalf Of Michael Maymann
> > >>>>>>>>> Sent: Wednesday, February 01, 2012 9:08 AM
> > >>>>>>>>> To: rsyslog-users
> > >>>>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user
> > >>>>>>>>>
> > >>>>>>>>> Hi,
> > >>>>>>>>>
> > >>>>>>>>> David: thanks - got it working with permission dropping, by
> > far my
> > >>>>>>>>> prefered
> > >>>>>>>>> configuration... just didn't know of it...:-) !
> > >>>>>>>>> Rainer: please let us know if the debug info of the
> > "permission
> > >>>>>>>>> dropping:
> > >>>>>>>>> hang+timeout" I send you can solve anything... anyway it
> > works now
> > >>>>>>>>>
> > >>>>>>>> -
> > >>>>>>>
> > >>>>>>>> but
> > >>>>>>>>> not optimal if other people have to service my setup...:-) !
> > >>>>>>>>>
> > >>>>>>>>
> > >>>>>>>> I have reviewed the debug log and I see nothing unexpected.
> > From the
> > >>>>>>>> timestamps I also see that there is no hang whatsoever. So it
> > looks
> > >>>>>>>>
> > >>>>>>> like
> > >>>>>>>
> > >>>>>>>> there is some problem with the startup script, which I don't
> > know. I
> > >>>>>>>> suggest
> > >>>>>>>> to ask what the FAILED status is caused by. We can then look
> > why
> > >>>>>>>> this
> > >>>>>>>> happens.
> > >>>>>>>>
> > >>>>>>>> Sorry I have no better answer...
> > >>>>>>>> Rainer
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>>> Thanks in advance :-) !
> > >>>>>>>>> ~maymann
> > >>>>>>>>>
> > >>>>>>>>> 2012/2/1 <david [at] lang>
> > >>>>>>>>>
> > >>>>>>>>> On Tue, 31 Jan 2012, Michael Maymann wrote:
> > >>>>>>>>>>
> > >>>>>>>>>> Hi,
> > >>>>>>>>>>
> > >>>>>>>>>>>
> > >>>>>>>>>>> I have now setup a 6.3.6-devel rsyslog server that is
> > working
> > >>>>>>>>>>>
> > >>>>>>>>>> fine
> > >>>>>>>
> > >>>>>>>> running
> > >>>>>>>>>
> > >>>>>>>>>> as root.
> > >>>>>>>>>>> I would like to run it as non-root user as my logfiles are
> > >>>>>>>>>>>
> > >>>>>>>>>> located
> > >>>>>>>
> > >>>>>>>> on NFS
> > >>>>>>>>>
> > >>>>>>>>>> (and root export of NFS is generally not a good idea !).
> > >>>>>>>>>>>
> > >>>>>>>>>>> Here is my rsyslog.conf:
> > >>>>>>>>>>> #LOAD MODULES
> > >>>>>>>>>>> $ModLoad imudp
> > >>>>>>>>>>> $UDPServerRun 514
> > >>>>>>>>>>> $UDPServerAddress 127.0.0.1
> > >>>>>>>>>>> $ModLoad imtcp
> > >>>>>>>>>>> $InputTCPServerRun 514
> > >>>>>>>>>>> #SET DESTINATION FOR LOGS
> > >>>>>>>>>>> $template
> > >>>>>>>>>>>
> > DYNmessages,"<PATH_TO>/%****FROMHOST%/%FROMHOST%_%$YEAR%.%****
> > >>>>>>>>>>> $MONTH%_messages"
> > >>>>>>>>>>> $template
> > >>>>>>>>>>>
> > >>>>>>>>>>>
> > >>>>>>>>> DYNsecure,"<PATH_TO>/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**
> > >>>>>>> **$MONTH%_secure"
> > >>>>>>>
> > >>>>>>>> $template
> > >>>>>>>>>>>
> > >>>>>>>>>>>
> > >>>>>>>>> DYNmaillog,"<PATH_TO>/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**
> > >>>>>>> **$MONTH%_maillo
> > >>>>>>>
> > >>>>>>>> g"
> > >>>>>>>>>
> > >>>>>>>>>> $template
> > >>>>>>>>>>>
> > >>>>>>>>>>
> > DYNcron,"<PATH_TO>/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_**
> > >>>>>>>>> **
> > >>>>>>>>>
> > >>>>>>>>>> cron"
> > >>>>>>>>>>> $template
> > >>>>>>>>>>>
> > >>>>>>>>>>>
> > >>>>>>>>> DYNspooler,"<PATH_TO>/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**
> > >>>>>>> **$MONTH%_spoole
> > >>>>>>>
> > >>>>>>>> r"
> > >>>>>>>>>
> > >>>>>>>>>> $template
> > >>>>>>>>>>>
> > >>>>>>>>>>>
> > >>>>>>>>>
> > DYNboot,"<PATH_TO>/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_**
> > >>>>>>> **boot.log"
> > >>>>>>>
> > >>>>>>>> $template
> > >>>>>>>>>>>
> > >>>>>>>>>>
> > DYNtraps,"<PATH_TO>/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**
> > >>>>>>>>> _**
> > >>>>>>>>>
> > >>>>>>>>>> traps"
> > >>>>>>>>>>> #SET LOGGING CONDITIONS
> > >>>>>>>>>>> if $syslogseverity <= '6' then ?DYNmessages
> > >>>>>>>>>>> if $syslogfacility-text == 'authpriv' then ?DYNsecure
> > >>>>>>>>>>> if $syslogfacility-text == 'mail' then ?DYNmaillog
> > >>>>>>>>>>> if $syslogfacility-text == 'cron' then ?DYNcron
> > >>>>>>>>>>> if $syslogseverity-text == 'crit' then ?DYNspooler
> > >>>>>>>>>>> if $syslogfacility-text == 'local7' then ?DYNboot
> > >>>>>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-
> > text ==
> > >>>>>>>>>>>
> > >>>>>>>>>> 'WARNING'
> > >>>>>>>>>
> > >>>>>>>>>> then ?DYNtraps
> > >>>>>>>>>>>
> > >>>>>>>>>>> Here is my logfile when I try to start rsyslog as a non-
> > root
> > >>>>>>>>>>>
> > >>>>>>>>>> user:
> > >>>>>>>
> > >>>>>>>> 2012-01-31T15:45:52.997693+02:****00 <hostname> rsyslogd:
> > [origin
> > >>>>>>>>>>> software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-
> > info="
> > >>>>>>>>>>> http://www.rsyslog.com"] start
> > >>>>>>>>>>> 2012-01-31T15:45:52.997294+02:****00 <hostname> rsyslogd:
> > bind:
> > >>>>>>>>>>>
> > >>>>>>>>>> Permission
> > >>>>>>>>>
> > >>>>>>>>>> denied
> > >>>>>>>>>>> 2012-01-31T15:45:52.997369+02:****00 <hostname> rsyslogd:
> > bind:
> > >>>>>>>>>>>
> > >>>>>>>>>> Permission
> > >>>>>>>>>
> > >>>>>>>>>> denied
> > >>>>>>>>>>> 2012-01-31T15:45:52.997374+02:****00 <hostname> rsyslogd:
> > No UDP
> > >>>>>>>>>>>
> > >>>>>>>>>> listen
> > >>>>>>>>>
> > >>>>>>>>>> socket
> > >>>>>>>>>>> could successfully be initialized, message reception via
> > UDP
> > >>>>>>>>>>>
> > >>>>>>>>>> disabled.
> > >>>>>>>>>
> > >>>>>>>>>> 2012-01-31T15:45:52.997376+02:****00 <hostname> rsyslogd:
> > imudp:
> > >>>>>>>>>>>
> > >>>>>>>>>> no
> > >>>>>>>
> > >>>>>>>> listeners
> > >>>>>>>>>>> could be started, input not activated.
> > >>>>>>>>>>> 2012-01-31T15:45:52.997379+02:****00 <hostname> rsyslogd3:
> > >>>>>>>>>>>
> > >>>>>>>>>> activation
> > >>>>>>>
> > >>>>>>>> of
> > >>>>>>>>>
> > >>>>>>>>>> module
> > >>>>>>>>>>> imudp failed [try http://www.rsyslog.com/e/-3 ]
> > >>>>>>>>>>> 2012-01-31T15:45:52.997643+02:****00 <hostname> rsyslogd-
> > 2077:
> > >>>>>>>>>>>
> > >>>>>>>>>> Could
> > >>>>>>>
> > >>>>>>>> not
> > >>>>>>>>>
> > >>>>>>>>>> create
> > >>>>>>>>>>> tcp listener, ignoring port 514. [try
> > >>>>>>>>>>>
> > >>>>>>>>>> http://www.rsyslog.com/e/2077
> > >>>>>>>
> > >>>>>>>> ]
> > >>>>>>>>>
> > >>>>>>>>>>
> > >>>>>>>>>>> So permissions to bind and sockets seems to be the
> > problem...
> > >>>>>>>>>>>
> > >>>>>>>>>>>
> > >>>>>>>>>> yes, you cannot bind to ports <1024 as a normal user
> > (without
> > >>>>>>>>>>
> > >>>>>>>>> making
> > >>>>>>>
> > >>>>>>>> some
> > >>>>>>>>>
> > >>>>>>>>>> other non-standard changes through sysctl)
> > >>>>>>>>>>
> > >>>>>>>>>>
> > >>>>>>>>>> 1. Is it possible to make rsyslog write logfiles as a non-
> > root
> > >>>>>>>>>>
> > >>>>>>>>> user
> > >>>>>>>
> > >>>>>>>> - if
> > >>>>>>>>>
> > >>>>>>>>>> yes: how ?
> > >>>>>>>>>>>
> > >>>>>>>>>>>
> > >>>>>>>>>> permission drop features
> > >>>>>>>>>>
> > >>>>>>>>>>
> > >>>>>>>>>> 2a. Is it possible to add permissions for non-root user to
> > run
> > >>>>>>>>>>
> > >>>>>>>>> rsyslog
> > >>>>>>>>>
> > >>>>>>>>>> server - if yes: how ?
> > >>>>>>>>>>>
> > >>>>>>>>>>>
> > >>>>>>>>>> pick a listening port > 1024 and it should work.
> > >>>>>>>>>>
> > >>>>>>>>>>
> > >>>>>>>>>> 2b. How do I start rsyslog during boot as non-root user -
> > can
> > >>>>>>>>>>
> > >>>>>>>>> chkconfig do
> > >>>>>>>>>
> > >>>>>>>>>> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ?
> > >>>>>>>>>>>
> > >>>>>>>>>>>
> > >>>>>>>>>> su can run a command as a different user.
> > >>>>>>>>>>
> > >>>>>>>>>> although as Rainer points out, you may just be looking for
> > the
> > >>>>>>>>>>
> > >>>>>>>>> permission
> > >>>>>>>>>
> > >>>>>>>>>> dropping features that are already in rsyslog.
> > >>>>>>>>>>
> > >>>>>>>>>> David Lang
> > >>>>>>>>>>
> > >>>>>>>>>> ______________________________****_________________
> > >>>>>>>>>> rsyslog mailing list
> > >>>>>>>>>>
> > >>>>>>>>>>
> > >>>>>>>>>
> > http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adis
> > con.net/**mailman/listinfo/rsyslog>
> > >>>>>>> <http:**//lists.adisco <http://lists.adisco>
> > >>>>>>>
> > >>>>>>>> n.net/mailman/listinfo/rsyslog**>
> > >>>>>>>>>
> > >>>>>>>>>> http://www.rsyslog.com/****professional-
> > <http://www.rsyslog.com/**professional->
> > >>>>>>>>>>
> > >>>>>>>>> services/<http://www.rsyslog.**com/professional-
> > services/<http://www.rsyslog.com/professional-services/>
> > >>>>>>>>> >
> > >>>>>>>>>
> > >>>>>>>>>>
> > >>>>>>>>>> ______________________________**_________________
> > >>>>>>>>> rsyslog mailing list
> > >>>>>>>>>
> > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
> > n.net/mailman/listinfo/rsyslog>
> > >>>>>>>>> http://www.rsyslog.com/**professional-
> > services/<http://www.rsyslog.com/professional-services/>
> > >>>>>>>>>
> > >>>>>>>> ______________________________**_________________
> > >>>>>>>> rsyslog mailing list
> > >>>>>>>>
> > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
> > n.net/mailman/listinfo/rsyslog>
> > >>>>>>>> http://www.rsyslog.com/**professional-
> > services/<http://www.rsyslog.com/professional-services/>
> > >>>>>>>>
> > >>>>>>>> ______________________________**_________________
> > >>>>>>> rsyslog mailing list
> > >>>>>>>
> > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
> > n.net/mailman/listinfo/rsyslog>
> > >>>>>>> http://www.rsyslog.com/**professional-
> > services/<http://www.rsyslog.com/professional-services/>
> > >>>>>>>
> > >>>>>> ______________________________**_________________
> > >>>>>> rsyslog mailing list
> > >>>>>>
> > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
> > n.net/mailman/listinfo/rsyslog>
> > >>>>>> http://www.rsyslog.com/**professional-
> > services/<http://www.rsyslog.com/professional-services/>
> > >>>>>>
> > >>>>>>
> > >>>>>
> > >>>>> ______________________________**_________________
> > >>>> rsyslog mailing list
> > >>>>
> > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
> > n.net/mailman/listinfo/rsyslog>
> > >>>> http://www.rsyslog.com/**professional-
> > services/<http://www.rsyslog.com/professional-services/>
> > >>>>
> > >>>> ______________________________**_________________
> > >>> rsyslog mailing list
> > >>>
> > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
> > n.net/mailman/listinfo/rsyslog>
> > >>> http://www.rsyslog.com/**professional-
> > services/<http://www.rsyslog.com/professional-services/>
> > >>>
> > >>
> > >>
> > >
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
>

Attachments:

PrivDropTo_enabled.txt (137 KB)

PrivDropTo_disabled.txt (136 KB)

rgerhards at hq

Feb 3, 2012, 12:41 AM

Post #22 of 37 (427 views)
Permalink

Re: rsyslog as non-root user [In reply to]

> -----Original Message-----
> From: rsyslog-bounces [at] lists [mailto:rsyslog-
> bounces [at] lists] On Behalf Of Michael Maymann
> Sent: Friday, February 03, 2012 9:24 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] rsyslog as non-root user
>
> Hi,
>
> I have attached debug info both when PrivDropTo is enabled and
> disabled.
> Only difference I can see is the 5 minutes it takes for the
> PrivDropTo_enabled run to timeout (motherproccess dies and
> childproccess
> thereby gets owned by init)...

Ah, it looks like you use auto-backgrounding (which is the default due to
historical reasons). You can disable that via -n. I don't know if the init
script expects auto-backgrounding or not...
Rainer
>
> Hopefully someone can see something more...:-) !
>
>
> Thanks in advance :-) !
> ~maymann
>
>
> 2012/2/3 Rainer Gerhards <rgerhards [at] hq>
>
> > > -----Original Message-----
> > > From: rsyslog-bounces [at] lists [mailto:rsyslog-
> > > bounces [at] lists] On Behalf Of Michael Maymann
> > > Sent: Friday, February 03, 2012 8:38 AM
> > > To: rsyslog-users
> > > Subject: Re: [rsyslog] rsyslog as non-root user
> > >
> > > Hi,
> > >
> > > forgot to mention, that when i run:
> > > # /usr/sbin/rsyslogd -c 6
> > > it does the same thing... (hang+timeout+live
> > What do you mean with "hang"? I could see no indication of any
> slowed-down
> > processing inside the debug log. It may also be useful if you shared
> the
> > debug log publically, in case someone else has an idea.
> >
> > rainer
> >
> > > init/PrivDropToUser-owned-child-proccess) again only when
> PrivDropTo is
> > > enabled in /etc/rsyslog.conf... otherwise working perfectly...
> > > Would this possibly be solved in yesterdays release: 6.3.7-devel ?
> > >
> > > Thanks in advance :-) !
> > > ~maymann
> > >
> > > 2012/2/3 Michael Maymann <michael [at] maymann>
> > >
> > > > Hi,
> > > >
> > > > David: unfortunately this was not the case...:
> > > > # cat /etc/sysconfig/selinux
> > > > # This file controls the state of SELinux on the system.
> > > > # SELINUX= can take one of these three values:
> > > > # enforcing - SELinux security policy is enforced.
> > > > # permissive - SELinux prints warnings instead of
> enforcing.
> > > > # disabled - SELinux is fully disabled.
> > > > SELINUX=disabled
> > > > # SELINUXTYPE= type of policy in use. Possible values are:
> > > > # targeted - Only targeted network daemons are protected.
> > > > # strict - Full SELinux protection.
> > > > SELINUXTYPE=targeted
> > > >
> > > > What else could cause this problem ?
> > > >
> > > >
> > > >
> > > > Thanks in advance :-) !
> > > > ~maymann
> > > >
> > > > 2012/2/2 Michael Maymann <michael [at] maymann>
> > > >
> > > >> Hi,
> > > >>
> > > >> David: Thanks for your reply - sounds possible... I will try
> this
> > > first
> > > >> thing tomorrow morning and report back with findings...
> > > >>
> > > >> Br.
> > > >> ~maymann
> > > >>
> > > >> 2012/2/2 <david [at] lang>
> > > >>
> > > >> On Thu, 2 Feb 2012, Michael Maymann wrote:
> > > >>>
> > > >>> Hi Rainer,
> > > >>>>
> > > >>>> I really have my doubts it has something to do with my startup
> > > script:
> > > >>>> 1. I only changed the exec=/usr/sbin/rsyslogd from default
> > > >>>> 2. It works perfectly when PrivDropTo is not used in
> rsyslog.conf.
> > > >>>>
> > > >>>> I'm running on RHEL6.1_x64.
> > > >>>> Do you have a working /etc/init.d/rsyslog what you can share/I
> can
> > > >>>> test...?
> > > >>>>
> > > >>>
> > > >>>
> > > >>> my guess is that this is a SELINUX related problem.
> > > >>>
> > > >>> what happens if you try to start rsyslog manually (not by
> running
> > > the
> > > >>> startup script, but just running 'rsyslogd -c 6' "
> > > >>>
> > > >>> David Lang
> > > >>>
> > > >>>
> > > >>>
> > > >>>> Thanks in advance :-) !
> > > >>>> ~maymann
> > > >>>>
> > > >>>> 2012/2/2 Michael Maymann <michael [at] maymann>
> > > >>>>
> > > >>>> Hi,
> > > >>>>>
> > > >>>>> Rainer: Sorry... forgot to mention that it doesn't say
> anything
> > > about
> > > >>>>> failing in the logs... and it actually doesn't fail... it
> works
> > > and
> > > >>>>> after
> > > >>>>> the timeout+failed notice only the proccess owned by
> > > >>>>> PrivDropToUser-USER is
> > > >>>>> present, but now owned by the init-proccess (mother proccess
> > > dies):
> > > >>>>>
> > > >>>>> # service rsyslog start
> > > >>>>> Starting system logger:
> > > [FAILED]
> > > >>>>>
> > > >>>>> BEFORE failed status:
> > > >>>>> root 9126 9125 0 11:07 pts/1 00:00:00
> > > /usr/sbin/rsyslogd -c 6
> > > >>>>> <PrivDropToUser-USER> 9131 9126 0 11:07 ? 00:00:00
> > > >>>>> /usr/sbin/rsyslogd -c 6
> > > >>>>>
> > > >>>>> AFTER failed status root-owned proccess is killed and
> > > >>>>> PrivDropToUser-USER
> > > >>>>> owned proccess is therefore gets owned by init:
> > > >>>>> <PrivDropToUser-USER> 9131 1 0 11:07 ? 00:00:00
> > > >>>>> /usr/sbin/rsyslogd -c 6
> > > >>>>>
> > > >>>>> Anyone who can help with this...?:
> > > >>>>> here is the debug output when starting running the init-
> script:
> > > >>>>> #/etc/init.d/rsyslog start
> > > >>>>> + . /etc/init.d/functions
> > > >>>>> ++ TEXTDOMAIN=initscripts
> > > >>>>> ++ umask 022
> > > >>>>> ++ PATH=/sbin:/usr/sbin:/bin:/**usr/bin
> > > >>>>> ++ export PATH
> > > >>>>> ++ '[' -z '' ']'
> > > >>>>> ++ COLUMNS=80
> > > >>>>> ++ '[' -z '' ']'
> > > >>>>> +++ /sbin/consoletype
> > > >>>>> ++ CONSOLETYPE=pty
> > > >>>>> ++ '[' -f /etc/sysconfig/i18n -a -z '' -a -z '' ']'
> > > >>>>> ++ . /etc/profile.d/lang.sh
> > > >>>>> ++ unset LANGSH_SOURCED
> > > >>>>> ++ '[' -z '' ']'
> > > >>>>> ++ '[' -f /etc/sysconfig/init ']'
> > > >>>>> ++ . /etc/sysconfig/init
> > > >>>>> +++ BOOTUP=color
> > > >>>>> +++ RES_COL=60
> > > >>>>> +++ MOVE_TO_COL='echo -en \033[.60G'
> > > >>>>> +++ SETCOLOR_SUCCESS='echo -en \033[.0;32m'
> > > >>>>> +++ SETCOLOR_FAILURE='echo -en \033[.0;31m'
> > > >>>>> +++ SETCOLOR_WARNING='echo -en \033[.0;33m'
> > > >>>>> +++ SETCOLOR_NORMAL='echo -en \033[.0;39m'
> > > >>>>> +++ PROMPT=yes
> > > >>>>> +++ AUTOSWAP=no
> > > >>>>> +++ ACTIVE_CONSOLES='/dev/tty[1-6]**'
> > > >>>>> +++ SINGLE=/sbin/sushell
> > > >>>>> ++ '[' pty = serial ']'
> > > >>>>> ++
> > > >>>>>
> __sed_discard_ignored_files='/**$~\|\.bak\|\.orig\|\.rpmnew\|**
> > > >>>>> \.rpmorig\|\.rpmsave$$/d'
> > > >>>>> + RETVAL=0
> > > >>>>> + PIDFILE=/var/run/syslogd.pid
> > > >>>>> + prog=rsyslogd
> > > >>>>> + exec=/usr/sbin/rsyslogd
> > > >>>>> + lockfile=/var/lock/subsys/**rsyslogd
> > > >>>>> + case "$1" in
> > > >>>>> + start
> > > >>>>> + '[' -x /usr/sbin/rsyslogd ']'
> > > >>>>> + '[' -f /etc/sysconfig/rsyslog ']'
> > > >>>>> + . /etc/sysconfig/rsyslog
> > > >>>>> ++ SYSLOGD_OPTIONS='-c 6'
> > > >>>>> + umask 077
> > > >>>>> + echo -n 'Starting system logger: '
> > > >>>>> Starting system logger: + daemon --
> pidfile=/var/run/syslogd.pid
> > > >>>>> /usr/sbin/rsyslogd -c 6
> > > >>>>> + local gotbase= force= nicelevel corelimit
> > > >>>>> + local pid base= user= nice= bg= pid_file=
> > > >>>>> + local cgroup=
> > > >>>>> + nicelevel=0
> > > >>>>> + '[' --pidfile=/var/run/syslogd.pid '!='
> > > >>>>> -pidfile=/var/run/syslogd.pid ']'
> > > >>>>> + case $1 in
> > > >>>>> + pid_file=/var/run/syslogd.pid
> > > >>>>> + shift
> > > >>>>> + '[' /usr/sbin/rsyslogd '!=' /usr/sbin/rsyslogd ']'
> > > >>>>> + '[' -z '' ']'
> > > >>>>> + base=rsyslogd
> > > >>>>> + __pids_var_run rsyslogd /var/run/syslogd.pid
> > > >>>>> + local base=rsyslogd
> > > >>>>> + local pid_file=/var/run/syslogd.pid
> > > >>>>> + pid=
> > > >>>>> + '[' -f /var/run/syslogd.pid ']'
> > > >>>>> + return 3
> > > >>>>> + '[' -n '' -a -z '' ']'
> > > >>>>> + corelimit='ulimit -S -c 0'
> > > >>>>> + '[' -n '' ']'
> > > >>>>> + '[' -n '' ']'
> > > >>>>> + '[' color = verbose -a -z '' ']'
> > > >>>>> + '[' -z '' ']'
> > > >>>>> + /bin/bash -c 'ulimit -S -c 0 >/dev/null 2>&1 ;
> > > /usr/sbin/rsyslogd -c
> > > >>>>> 6'
> > > >>>>> ...
> > > >>>>> (hangs here for a long time)
> > > >>>>> ...
> > > >>>>> + '[' 1 -eq 0 ']'
> > > >>>>> + failure 'rsyslogd startup'
> > > >>>>> + local rc=1
> > > >>>>> + '[' color '!=' verbose -a -z '' ']'
> > > >>>>> + echo_failure
> > > >>>>> + '[' color = color ']'
> > > >>>>> + echo -en '\033[60G'
> > > >>>>> +
> echo
> > > -n '['
> > > >>>>> [+ '[' color = color ']'
> > > >>>>> + echo -en '\033[.0;31m'
> > > >>>>> + echo -n FAILED
> > > >>>>> FAILED+ '[' color = color ']'
> > > >>>>> + echo -en '\033[0;39m'
> > > >>>>> + echo -n ']'
> > > >>>>> ]+ echo -ne '\r'
> > > >>>>> + return 1
> > > >>>>> + '[' -x /usr/bin/plymouth ']'
> > > >>>>> + /usr/bin/plymouth --details
> > > >>>>> + return 1
> > > >>>>> + RETVAL=1
> > > >>>>> + echo
> > > >>>>>
> > > >>>>> + '[' 1 -eq 0 ']'
> > > >>>>> + return 1
> > > >>>>> + exit 1
> > > >>>>>
> > > >>>>> I have tried to give 777-access to /var/run and
> /var/lock/subsys
> > > - but
> > > >>>>> same thing happens...
> > > >>>>>
> > > >>>>>
> > > >>>>>
> > > >>>>> Thanks in advance :-) !
> > > >>>>>
> > > >>>>> Br.
> > > >>>>> ~maymann
> > > >>>>>
> > > >>>>>
> > > >>>>>
> > > >>>>> 2012/2/2 Rainer Gerhards <rgerhards [at] hq>
> > > >>>>>
> > > >>>>> I can only help you with that part if you point me to why
> > > exactly the
> > > >>>>>> script
> > > >>>>>> claims what it does. So you may want to try find someone who
> can
> > > do
> > > >>>>>> that.
> > > >>>>>> I
> > > >>>>>> know this is probably a trivial question, but I don't know
> > > anything ;)
> > > >>>>>>
> > > >>>>>> Sry, rainer
> > > >>>>>>
> > > >>>>>> -----Original Message-----
> > > >>>>>>> From: rsyslog-bounces [at] lists**com<rsyslog-
> > > bounces [at] lists>[mailto:
> > > >>>>>>> rsyslog-
> > > >>>>>>> bounces [at] lists] On Behalf Of Michael Maymann
> > > >>>>>>> Sent: Thursday, February 02, 2012 10:03 AM
> > > >>>>>>> To: rsyslog-users
> > > >>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user
> > > >>>>>>>
> > > >>>>>>> Here is my startup script... only thing changed is the path
> to
> > > the
> > > >>>>>>> new
> > > >>>>>>> 6.3.6-rsyslog-devel binary.
> > > >>>>>>> The startup-scripts works also perfectly when i comment out
> the
> > > >>>>>>> PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but
> > > failes if i
> > > >>>>>>> have
> > > >>>>>>> both or one of the entries...:
> > > >>>>>>> #!/bin/bash
> > > >>>>>>> #
> > > >>>>>>> # rsyslog Starts rsyslogd/rklogd.
> > > >>>>>>> #
> > > >>>>>>> #
> > > >>>>>>> # chkconfig: 2345 12 88
> > > >>>>>>> # description: Syslog is the facility by which many daemons
> use
> > > to
> > > >>>>>>> log
> > > >>>>>>> \
> > > >>>>>>> # messages to various system log files. It is a good idea
> to
> > > always
> > > >>>>>>> \
> > > >>>>>>> # run rsyslog.
> > > >>>>>>> ### BEGIN INIT INFO
> > > >>>>>>> # Provides: $syslog
> > > >>>>>>> # Required-Start: $local_fs
> > > >>>>>>> # Required-Stop: $local_fs
> > > >>>>>>> # Default-Start: 2 3 4 5
> > > >>>>>>> # Default-Stop: 0 1 6
> > > >>>>>>> # Short-Description: Enhanced system logging and kernel
> message
> > > >>>>>>> trapping
> > > >>>>>>> daemons
> > > >>>>>>> # Description: Rsyslog is an enhanced multi-threaded
> syslogd
> > > >>>>>>> supporting,
> > > >>>>>>> # among others, MySQL, syslog/tcp, RFC 3195,
> > > permitted
> > > >>>>>>> # sender lists, filtering on any message part,
> and
> > > fine
> > > >>>>>>> # grain output format control.
> > > >>>>>>> ### END INIT INFO
> > > >>>>>>>
> > > >>>>>>> # Source function library.
> > > >>>>>>> . /etc/init.d/functions
> > > >>>>>>>
> > > >>>>>>> RETVAL=0
> > > >>>>>>> PIDFILE=/var/run/syslogd.pid
> > > >>>>>>>
> > > >>>>>>> prog=rsyslogd
> > > >>>>>>> #exec=/sbin/rsyslogd
> > > >>>>>>> exec=/usr/sbin/rsyslogd
> > > >>>>>>> lockfile=/var/lock/subsys/$**prog
> > > >>>>>>>
> > > >>>>>>> start() {
> > > >>>>>>> [ -x $exec ] || exit 5
> > > >>>>>>>
> > > >>>>>>> # Source config
> > > >>>>>>> if [ -f /etc/sysconfig/rsyslog ] ; then
> > > >>>>>>> . /etc/sysconfig/rsyslog
> > > >>>>>>> fi
> > > >>>>>>> umask 077
> > > >>>>>>>
> > > >>>>>>> echo -n $"Starting system logger: "
> > > >>>>>>> daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS
> > > >>>>>>> RETVAL=$?
> > > >>>>>>> echo
> > > >>>>>>> [ $RETVAL -eq 0 ] && touch $lockfile
> > > >>>>>>> return $RETVAL
> > > >>>>>>> }
> > > >>>>>>> stop() {
> > > >>>>>>> echo -n $"Shutting down system logger: "
> > > >>>>>>> killproc $prog
> > > >>>>>>> RETVAL=$?
> > > >>>>>>> echo
> > > >>>>>>> [ $RETVAL -eq 0 ] && rm -f $lockfile
> > > >>>>>>> return $RETVAL
> > > >>>>>>> }
> > > >>>>>>> reload() {
> > > >>>>>>> RETVAL=1
> > > >>>>>>> syslog=$(cat "${PIDFILE}" 2>/dev/null)
> > > >>>>>>> echo -n "Reloading system logger..."
> > > >>>>>>> if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then
> > > >>>>>>> kill -HUP "$syslog";
> > > >>>>>>> RETVAL=$?
> > > >>>>>>> fi
> > > >>>>>>> if [ $RETVAL -ne 0 ]; then
> > > >>>>>>> failure
> > > >>>>>>> else
> > > >>>>>>> success
> > > >>>>>>> fi
> > > >>>>>>> echo
> > > >>>>>>> return $RETVAL
> > > >>>>>>> }
> > > >>>>>>> rhstatus() {
> > > >>>>>>> status -p "${PIDFILE}" $prog
> > > >>>>>>> }
> > > >>>>>>> restart() {
> > > >>>>>>> stop
> > > >>>>>>> start
> > > >>>>>>> }
> > > >>>>>>>
> > > >>>>>>> case "$1" in
> > > >>>>>>> start)
> > > >>>>>>> start
> > > >>>>>>> ;;
> > > >>>>>>> stop)
> > > >>>>>>> stop
> > > >>>>>>> ;;
> > > >>>>>>> restart)
> > > >>>>>>> restart
> > > >>>>>>> ;;
> > > >>>>>>> reload|force-reload)
> > > >>>>>>> reload
> > > >>>>>>> ;;
> > > >>>>>>> status)
> > > >>>>>>> rhstatus
> > > >>>>>>> ;;
> > > >>>>>>> condrestart|try-restart)
> > > >>>>>>> rhstatus >/dev/null 2>&1 || exit 0
> > > >>>>>>> restart
> > > >>>>>>> ;;
> > > >>>>>>> *)
> > > >>>>>>> echo $"Usage: $0
> > > >>>>>>> {start|stop|restart|**condrestart|try-
> restart|**reload|force-
> > > >>>>>>> reload|status}"
> > > >>>>>>> exit 2
> > > >>>>>>> esac
> > > >>>>>>>
> > > >>>>>>> exit $?
> > > >>>>>>>
> > > >>>>>>> 2012/2/2 Rainer Gerhards <rgerhards [at] hq>
> > > >>>>>>>
> > > >>>>>>>
> > > >>>>>>>>
> > > >>>>>>>> -----Original Message-----
> > > >>>>>>>>> From: rsyslog-bounces [at] lists**com<rsyslog-
> > > bounces [at] lists>[mailto:
> > > >>>>>>>>> rsyslog-
> > > >>>>>>>>> bounces [at] lists] On Behalf Of Michael Maymann
> > > >>>>>>>>> Sent: Wednesday, February 01, 2012 9:08 AM
> > > >>>>>>>>> To: rsyslog-users
> > > >>>>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user
> > > >>>>>>>>>
> > > >>>>>>>>> Hi,
> > > >>>>>>>>>
> > > >>>>>>>>> David: thanks - got it working with permission dropping,
> by
> > > far my
> > > >>>>>>>>> prefered
> > > >>>>>>>>> configuration... just didn't know of it...:-) !
> > > >>>>>>>>> Rainer: please let us know if the debug info of the
> > > "permission
> > > >>>>>>>>> dropping:
> > > >>>>>>>>> hang+timeout" I send you can solve anything... anyway it
> > > works now
> > > >>>>>>>>>
> > > >>>>>>>> -
> > > >>>>>>>
> > > >>>>>>>> but
> > > >>>>>>>>> not optimal if other people have to service my setup...:-
> ) !
> > > >>>>>>>>>
> > > >>>>>>>>
> > > >>>>>>>> I have reviewed the debug log and I see nothing
> unexpected.
> > > From the
> > > >>>>>>>> timestamps I also see that there is no hang whatsoever. So
> it
> > > looks
> > > >>>>>>>>
> > > >>>>>>> like
> > > >>>>>>>
> > > >>>>>>>> there is some problem with the startup script, which I
> don't
> > > know. I
> > > >>>>>>>> suggest
> > > >>>>>>>> to ask what the FAILED status is caused by. We can then
> look
> > > why
> > > >>>>>>>> this
> > > >>>>>>>> happens.
> > > >>>>>>>>
> > > >>>>>>>> Sorry I have no better answer...
> > > >>>>>>>> Rainer
> > > >>>>>>>>
> > > >>>>>>>>
> > > >>>>>>>>> Thanks in advance :-) !
> > > >>>>>>>>> ~maymann
> > > >>>>>>>>>
> > > >>>>>>>>> 2012/2/1 <david [at] lang>
> > > >>>>>>>>>
> > > >>>>>>>>> On Tue, 31 Jan 2012, Michael Maymann wrote:
> > > >>>>>>>>>>
> > > >>>>>>>>>> Hi,
> > > >>>>>>>>>>
> > > >>>>>>>>>>>
> > > >>>>>>>>>>> I have now setup a 6.3.6-devel rsyslog server that is
> > > working
> > > >>>>>>>>>>>
> > > >>>>>>>>>> fine
> > > >>>>>>>
> > > >>>>>>>> running
> > > >>>>>>>>>
> > > >>>>>>>>>> as root.
> > > >>>>>>>>>>> I would like to run it as non-root user as my logfiles
> are
> > > >>>>>>>>>>>
> > > >>>>>>>>>> located
> > > >>>>>>>
> > > >>>>>>>> on NFS
> > > >>>>>>>>>
> > > >>>>>>>>>> (and root export of NFS is generally not a good idea !).
> > > >>>>>>>>>>>
> > > >>>>>>>>>>> Here is my rsyslog.conf:
> > > >>>>>>>>>>> #LOAD MODULES
> > > >>>>>>>>>>> $ModLoad imudp
> > > >>>>>>>>>>> $UDPServerRun 514
> > > >>>>>>>>>>> $UDPServerAddress 127.0.0.1
> > > >>>>>>>>>>> $ModLoad imtcp
> > > >>>>>>>>>>> $InputTCPServerRun 514
> > > >>>>>>>>>>> #SET DESTINATION FOR LOGS
> > > >>>>>>>>>>> $template
> > > >>>>>>>>>>>
> > > DYNmessages,"<PATH_TO>/%****FROMHOST%/%FROMHOST%_%$YEAR%.%****
> > > >>>>>>>>>>> $MONTH%_messages"
> > > >>>>>>>>>>> $template
> > > >>>>>>>>>>>
> > > >>>>>>>>>>>
> > > >>>>>>>>>
> DYNsecure,"<PATH_TO>/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**
> > > >>>>>>> **$MONTH%_secure"
> > > >>>>>>>
> > > >>>>>>>> $template
> > > >>>>>>>>>>>
> > > >>>>>>>>>>>
> > > >>>>>>>>>
> DYNmaillog,"<PATH_TO>/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**
> > > >>>>>>> **$MONTH%_maillo
> > > >>>>>>>
> > > >>>>>>>> g"
> > > >>>>>>>>>
> > > >>>>>>>>>> $template
> > > >>>>>>>>>>>
> > > >>>>>>>>>>
> > > DYNcron,"<PATH_TO>/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_**
> > > >>>>>>>>> **
> > > >>>>>>>>>
> > > >>>>>>>>>> cron"
> > > >>>>>>>>>>> $template
> > > >>>>>>>>>>>
> > > >>>>>>>>>>>
> > > >>>>>>>>>
> DYNspooler,"<PATH_TO>/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**
> > > >>>>>>> **$MONTH%_spoole
> > > >>>>>>>
> > > >>>>>>>> r"
> > > >>>>>>>>>
> > > >>>>>>>>>> $template
> > > >>>>>>>>>>>
> > > >>>>>>>>>>>
> > > >>>>>>>>>
> > > DYNboot,"<PATH_TO>/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_**
> > > >>>>>>> **boot.log"
> > > >>>>>>>
> > > >>>>>>>> $template
> > > >>>>>>>>>>>
> > > >>>>>>>>>>
> > > DYNtraps,"<PATH_TO>/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**
> > > >>>>>>>>> _**
> > > >>>>>>>>>
> > > >>>>>>>>>> traps"
> > > >>>>>>>>>>> #SET LOGGING CONDITIONS
> > > >>>>>>>>>>> if $syslogseverity <= '6' then ?DYNmessages
> > > >>>>>>>>>>> if $syslogfacility-text == 'authpriv' then ?DYNsecure
> > > >>>>>>>>>>> if $syslogfacility-text == 'mail' then ?DYNmaillog
> > > >>>>>>>>>>> if $syslogfacility-text == 'cron' then ?DYNcron
> > > >>>>>>>>>>> if $syslogseverity-text == 'crit' then ?DYNspooler
> > > >>>>>>>>>>> if $syslogfacility-text == 'local7' then ?DYNboot
> > > >>>>>>>>>>> if $syslogfacility-text == 'local6' and
> $syslogseverity-
> > > text ==
> > > >>>>>>>>>>>
> > > >>>>>>>>>> 'WARNING'
> > > >>>>>>>>>
> > > >>>>>>>>>> then ?DYNtraps
> > > >>>>>>>>>>>
> > > >>>>>>>>>>> Here is my logfile when I try to start rsyslog as a
> non-
> > > root
> > > >>>>>>>>>>>
> > > >>>>>>>>>> user:
> > > >>>>>>>
> > > >>>>>>>> 2012-01-31T15:45:52.997693+02:****00 <hostname> rsyslogd:
> > > [origin
> > > >>>>>>>>>>> software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-
> > > info="
> > > >>>>>>>>>>> http://www.rsyslog.com"] start
> > > >>>>>>>>>>> 2012-01-31T15:45:52.997294+02:****00 <hostname>
> rsyslogd:
> > > bind:
> > > >>>>>>>>>>>
> > > >>>>>>>>>> Permission
> > > >>>>>>>>>
> > > >>>>>>>>>> denied
> > > >>>>>>>>>>> 2012-01-31T15:45:52.997369+02:****00 <hostname>
> rsyslogd:
> > > bind:
> > > >>>>>>>>>>>
> > > >>>>>>>>>> Permission
> > > >>>>>>>>>
> > > >>>>>>>>>> denied
> > > >>>>>>>>>>> 2012-01-31T15:45:52.997374+02:****00 <hostname>
> rsyslogd:
> > > No UDP
> > > >>>>>>>>>>>
> > > >>>>>>>>>> listen
> > > >>>>>>>>>
> > > >>>>>>>>>> socket
> > > >>>>>>>>>>> could successfully be initialized, message reception
> via
> > > UDP
> > > >>>>>>>>>>>
> > > >>>>>>>>>> disabled.
> > > >>>>>>>>>
> > > >>>>>>>>>> 2012-01-31T15:45:52.997376+02:****00 <hostname>
> rsyslogd:
> > > imudp:
> > > >>>>>>>>>>>
> > > >>>>>>>>>> no
> > > >>>>>>>
> > > >>>>>>>> listeners
> > > >>>>>>>>>>> could be started, input not activated.
> > > >>>>>>>>>>> 2012-01-31T15:45:52.997379+02:****00 <hostname>
> rsyslogd3:
> > > >>>>>>>>>>>
> > > >>>>>>>>>> activation
> > > >>>>>>>
> > > >>>>>>>> of
> > > >>>>>>>>>
> > > >>>>>>>>>> module
> > > >>>>>>>>>>> imudp failed [try http://www.rsyslog.com/e/-3 ]
> > > >>>>>>>>>>> 2012-01-31T15:45:52.997643+02:****00 <hostname>
> rsyslogd-
> > > 2077:
> > > >>>>>>>>>>>
> > > >>>>>>>>>> Could
> > > >>>>>>>
> > > >>>>>>>> not
> > > >>>>>>>>>
> > > >>>>>>>>>> create
> > > >>>>>>>>>>> tcp listener, ignoring port 514. [try
> > > >>>>>>>>>>>
> > > >>>>>>>>>> http://www.rsyslog.com/e/2077
> > > >>>>>>>
> > > >>>>>>>> ]
> > > >>>>>>>>>
> > > >>>>>>>>>>
> > > >>>>>>>>>>> So permissions to bind and sockets seems to be the
> > > problem...
> > > >>>>>>>>>>>
> > > >>>>>>>>>>>
> > > >>>>>>>>>> yes, you cannot bind to ports <1024 as a normal user
> > > (without
> > > >>>>>>>>>>
> > > >>>>>>>>> making
> > > >>>>>>>
> > > >>>>>>>> some
> > > >>>>>>>>>
> > > >>>>>>>>>> other non-standard changes through sysctl)
> > > >>>>>>>>>>
> > > >>>>>>>>>>
> > > >>>>>>>>>> 1. Is it possible to make rsyslog write logfiles as a
> non-
> > > root
> > > >>>>>>>>>>
> > > >>>>>>>>> user
> > > >>>>>>>
> > > >>>>>>>> - if
> > > >>>>>>>>>
> > > >>>>>>>>>> yes: how ?
> > > >>>>>>>>>>>
> > > >>>>>>>>>>>
> > > >>>>>>>>>> permission drop features
> > > >>>>>>>>>>
> > > >>>>>>>>>>
> > > >>>>>>>>>> 2a. Is it possible to add permissions for non-root user
> to
> > > run
> > > >>>>>>>>>>
> > > >>>>>>>>> rsyslog
> > > >>>>>>>>>
> > > >>>>>>>>>> server - if yes: how ?
> > > >>>>>>>>>>>
> > > >>>>>>>>>>>
> > > >>>>>>>>>> pick a listening port > 1024 and it should work.
> > > >>>>>>>>>>
> > > >>>>>>>>>>
> > > >>>>>>>>>> 2b. How do I start rsyslog during boot as non-root user
> -
> > > can
> > > >>>>>>>>>>
> > > >>>>>>>>> chkconfig do
> > > >>>>>>>>>
> > > >>>>>>>>>> this ? do I need to edit /etc/init.d/rsyslog - if yes:
> how ?
> > > >>>>>>>>>>>
> > > >>>>>>>>>>>
> > > >>>>>>>>>> su can run a command as a different user.
> > > >>>>>>>>>>
> > > >>>>>>>>>> although as Rainer points out, you may just be looking
> for
> > > the
> > > >>>>>>>>>>
> > > >>>>>>>>> permission
> > > >>>>>>>>>
> > > >>>>>>>>>> dropping features that are already in rsyslog.
> > > >>>>>>>>>>
> > > >>>>>>>>>> David Lang
> > > >>>>>>>>>>
> > > >>>>>>>>>> ______________________________****_________________
> > > >>>>>>>>>> rsyslog mailing list
> > > >>>>>>>>>>
> > > >>>>>>>>>>
> > > >>>>>>>>>
> > >
> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adis
> > > con.net/**mailman/listinfo/rsyslog>
> > > >>>>>>> <http:**//lists.adisco <http://lists.adisco>
> > > >>>>>>>
> > > >>>>>>>> n.net/mailman/listinfo/rsyslog**>
> > > >>>>>>>>>
> > > >>>>>>>>>> http://www.rsyslog.com/****professional-
> > > <http://www.rsyslog.com/**professional->
> > > >>>>>>>>>>
> > > >>>>>>>>> services/<http://www.rsyslog.**com/professional-
> > > services/<http://www.rsyslog.com/professional-services/>
> > > >>>>>>>>> >
> > > >>>>>>>>>
> > > >>>>>>>>>>
> > > >>>>>>>>>> ______________________________**_________________
> > > >>>>>>>>> rsyslog mailing list
> > > >>>>>>>>>
> > >
> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
> > > n.net/mailman/listinfo/rsyslog>
> > > >>>>>>>>> http://www.rsyslog.com/**professional-
> > > services/<http://www.rsyslog.com/professional-services/>
> > > >>>>>>>>>
> > > >>>>>>>> ______________________________**_________________
> > > >>>>>>>> rsyslog mailing list
> > > >>>>>>>>
> > >
> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
> > > n.net/mailman/listinfo/rsyslog>
> > > >>>>>>>> http://www.rsyslog.com/**professional-
> > > services/<http://www.rsyslog.com/professional-services/>
> > > >>>>>>>>
> > > >>>>>>>> ______________________________**_________________
> > > >>>>>>> rsyslog mailing list
> > > >>>>>>>
> > >
> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
> > > n.net/mailman/listinfo/rsyslog>
> > > >>>>>>> http://www.rsyslog.com/**professional-
> > > services/<http://www.rsyslog.com/professional-services/>
> > > >>>>>>>
> > > >>>>>> ______________________________**_________________
> > > >>>>>> rsyslog mailing list
> > > >>>>>>
> > >
> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
> > > n.net/mailman/listinfo/rsyslog>
> > > >>>>>> http://www.rsyslog.com/**professional-
> > > services/<http://www.rsyslog.com/professional-services/>
> > > >>>>>>
> > > >>>>>>
> > > >>>>>
> > > >>>>> ______________________________**_________________
> > > >>>> rsyslog mailing list
> > > >>>>
> > >
> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
> > > n.net/mailman/listinfo/rsyslog>
> > > >>>> http://www.rsyslog.com/**professional-
> > > services/<http://www.rsyslog.com/professional-services/>
> > > >>>>
> > > >>>> ______________________________**_________________
> > > >>> rsyslog mailing list
> > > >>>
> > >
> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
> > > n.net/mailman/listinfo/rsyslog>
> > > >>> http://www.rsyslog.com/**professional-
> > > services/<http://www.rsyslog.com/professional-services/>
> > > >>>
> > > >>
> > > >>
> > > >
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com/professional-services/
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> >
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

rgerhards at hq

Feb 3, 2012, 12:47 AM

Post #23 of 37 (427 views)
Permalink

Re: rsyslog as non-root user [In reply to]

> > I have attached debug info both when PrivDropTo is enabled and
> > disabled.
> > Only difference I can see is the 5 minutes it takes for the
> > PrivDropTo_enabled run to timeout (motherproccess dies and
> > childproccess
> > thereby gets owned by init)...
>
> Ah, it looks like you use auto-backgrounding (which is the default due
> to
> historical reasons). You can disable that via -n. I don't know if the
> init
> script expects auto-backgrounding or not...

I should add: if auto-backgrounding is used, the parent process is just a
shim to start the actual instance (the child). It then waits some time on the
child until it is sure it has started (I haven't visited that code for many
years...). So it is expected that the parent terminates after a while (and I
think-but do not know right now- that this may take some minutes).

Suggest: try without auto-backgrouning so that we know if the problem is
related to that Feature.

rainer
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

michael at maymann

Feb 3, 2012, 1:03 AM

Post #24 of 37 (430 views)
Permalink

Re: rsyslog as non-root user [In reply to]

Hi,

Rainer: thanks for your reply.
Tried without auto-backgrounding, here is the proccesses I see:
root 14814 14131 0 10:43 pts/0 00:00:00 /bin/sh /sbin/service
rsyslog start
root 14819 14814 0 10:43 pts/0 00:00:00 /bin/bash
/etc/init.d/rsyslog start
root 14822 14819 0 10:43 pts/0 00:00:00 /bin/bash -c ulimit -S -c 0
>/dev/null 2>&1 ; /usr/sbin/rsyslogd -c 6 -n
<PrivDropToUser> 14823 14822 0 10:43 pts/0 00:00:00 /usr/sbin/rsyslogd
-c 6 -n

Now it doesn't seem to timeout and kill the motherproccess...:-) !

Only thing is it doesn't return after:
# service rsyslog start

I have tried adding "&" to /etc/sysconfig/rsyslog:
SYSLOGD_OPTIONS="-c 6 -n &"
but again this kill the motherproccess... and my guess is the root-owned
motherproccess should continue to be there - right ?

Any idea how to implement this properly ?

Thanks in advance :-) !
~maymann

2012/2/3 Rainer Gerhards <rgerhards [at] hq>

> > > I have attached debug info both when PrivDropTo is enabled and
> > > disabled.
> > > Only difference I can see is the 5 minutes it takes for the
> > > PrivDropTo_enabled run to timeout (motherproccess dies and
> > > childproccess
> > > thereby gets owned by init)...
> >
> > Ah, it looks like you use auto-backgrounding (which is the default due
> > to
> > historical reasons). You can disable that via -n. I don't know if the
> > init
> > script expects auto-backgrounding or not...
>
> I should add: if auto-backgrounding is used, the parent process is just a
> shim to start the actual instance (the child). It then waits some time on
> the
> child until it is sure it has started (I haven't visited that code for many
> years...). So it is expected that the parent terminates after a while (and
> I
> think-but do not know right now- that this may take some minutes).
>
> Suggest: try without auto-backgrouning so that we know if the problem is
> related to that Feature.
>
> rainer
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

rgerhards at hq

Feb 3, 2012, 1:07 AM

Post #25 of 37 (427 views)
Permalink

Re: rsyslog as non-root user [In reply to]

I guess you need to understand what the init scripts demand. I don't do so I
better do not provide any more comments ;)

rainer

> -----Original Message-----
> From: rsyslog-bounces [at] lists [mailto:rsyslog-
> bounces [at] lists] On Behalf Of Michael Maymann
> Sent: Friday, February 03, 2012 10:04 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] rsyslog as non-root user
>
> Hi,
>
> Rainer: thanks for your reply.
> Tried without auto-backgrounding, here is the proccesses I see:
> root 14814 14131 0 10:43 pts/0 00:00:00 /bin/sh /sbin/service
> rsyslog start
> root 14819 14814 0 10:43 pts/0 00:00:00 /bin/bash
> /etc/init.d/rsyslog start
> root 14822 14819 0 10:43 pts/0 00:00:00 /bin/bash -c ulimit -S
> -c 0
> >/dev/null 2>&1 ; /usr/sbin/rsyslogd -c 6 -n
> <PrivDropToUser> 14823 14822 0 10:43 pts/0 00:00:00
> /usr/sbin/rsyslogd
> -c 6 -n
>
> Now it doesn't seem to timeout and kill the motherproccess...:-) !
>
> Only thing is it doesn't return after:
> # service rsyslog start
>
> I have tried adding "&" to /etc/sysconfig/rsyslog:
> SYSLOGD_OPTIONS="-c 6 -n &"
> but again this kill the motherproccess... and my guess is the root-
> owned
> motherproccess should continue to be there - right ?
>
> Any idea how to implement this properly ?
>
>
> Thanks in advance :-) !
> ~maymann
>
>
> 2012/2/3 Rainer Gerhards <rgerhards [at] hq>
>
> > > > I have attached debug info both when PrivDropTo is enabled and
> > > > disabled.
> > > > Only difference I can see is the 5 minutes it takes for the
> > > > PrivDropTo_enabled run to timeout (motherproccess dies and
> > > > childproccess
> > > > thereby gets owned by init)...
> > >
> > > Ah, it looks like you use auto-backgrounding (which is the default
> due
> > > to
> > > historical reasons). You can disable that via -n. I don't know if
> the
> > > init
> > > script expects auto-backgrounding or not...
> >
> > I should add: if auto-backgrounding is used, the parent process is
> just a
> > shim to start the actual instance (the child). It then waits some
> time on
> > the
> > child until it is sure it has started (I haven't visited that code
> for many
> > years...). So it is expected that the parent terminates after a while
> (and
> > I
> > think-but do not know right now- that this may take some minutes).
> >
> > Suggest: try without auto-backgrouning so that we know if the problem
> is
> > related to that Feature.
> >
> > rainer
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

1 2

View All

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads