Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 453024

Summary: app-admin/syslog-ng-3.3.5-r1 - syslog-ng: Error creating persistent state file; filename='/var/lib/misc/syslog-ng.persist-', error='Permission denied (13)'
Product: Gentoo Linux Reporter: wbrana
Component: [OLD] Core systemAssignee: Mr. Bones. (RETIRED) <mr_bones_>
Status: RESOLVED INVALID    
Severity: normal CC: yac
Priority: Normal Keywords: PATCH
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: complete patch RC1

Description wbrana 2013-01-19 18:41:52 UTC 
syslog-ng can't run as non-root

Reproducible: Always

Steps to Reproduce:
1. create user and group syslog
2. set SYSLOG_NG_OPTS="-u syslog -g syslog" in /etc/conf.d/syslog-ng
3. start syslog
Actual Results:  
# /etc/init.d/syslog-ng start
 * Caching service dependencies ...                                                                                                                                                                                                                                                                                    [ ok ]
 * Starting syslog-ng ...
Error creating persistent state file; filename='/var/lib/misc/syslog-ng.persist-', error='Permission denied (13)'
 * start-stop-daemon: failed to start `/usr/sbin/syslog-ng'
 * Failed to start syslog-ng                                                                                                                                                                                                                                                                                           [ !! ]
 * ERROR: syslog-ng failed to start


Expected Results:  
syslog runs as user syslog

Portage 2.1.11.43 (hardened/linux/amd64, gcc-4.7.3, glibc-2.15-r3, 3.7.1 x86_64)
=================================================================
System uname: Linux-3.7.1-x86_64-Intel-R-_Pentium-R-_CPU_G860_@_3.00GHz-with-gentoo-2.2
KiB Mem:     8079528 total,   1901064 free
KiB Swap:          0 total,         0 free
Timestamp of tree: Sat, 19 Jan 2013 00:45:01 +0000
ld GNU ld (GNU Binutils) 2.23.1
ccache version 3.1.9 [enabled]
app-shells/bash:          4.2_p42
dev-java/java-config:     2.1.12-r1
dev-lang/python:          2.7.3-r3, 3.2.3-r2
dev-util/ccache:          3.1.9
dev-util/cmake:           2.8.10.2-r1
dev-util/pkgconfig:       0.27.1
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.9.8.4
sys-apps/sandbox:         2.6
sys-devel/autoconf:       2.13, 2.69
sys-devel/automake:       1.9.6-r3, 1.10.3, 1.11.6, 1.12.6, 1.13.1
sys-devel/binutils:       2.23, 2.23.1
sys-devel/gcc:            4.4.7, 4.6.4-r121109::x-portage, 4.7.3-r130105::x-portage
sys-devel/gcc-config:     1.8
sys-devel/libtool:        2.4.2
sys-devel/make:           3.82-r4
sys-kernel/linux-headers: 3.7 (virtual/os-headers)
sys-libs/glibc:           2.15-r3
Repositories: gentoo toolchain laurentb wbrana x-portage
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="* -@EULA PUEL dlj-1.1 ETQW RTCW-ETEULA googleearth AdobeFlash-10.3 Oracle-BCLA-JavaSE"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O3 -pipe -march=native -mtune=corei7 -fomit-frame-pointer -funroll-loops --param max-unrolled-insns=64"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /usr/share/maven-bin-3.0/conf /var/bind /var/lib/hsqldb"
CONFIG_PROTECT_MASK="${EPREFIX}/etc/gconf /etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.4/ext-active/ /etc/php/cgi-php5.4/ext-active/ /etc/php/cli-php5.4/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O3 -pipe -march=native -mtune=corei7 -fomit-frame-pointer -funroll-loops --param max-unrolled-insns=64"
DISTDIR="/mnt/sdb4/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs buildpkg ccache compressdebug config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync metadata-transfer news parallel-fetch protect-owned sandbox sfperms split-elog split-log splitdebug strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv webrsync-gpg"
FFLAGS="-O3 -pipe -march=native -mtune=corei7 -fomit-frame-pointer -funroll-loops --param max-unrolled-insns=64"
LANG="en_GB.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--hash-style=gnu  -Wl,--as-needed"
MAKEOPTS="-j2"
PKGDIR="/mnt/md3/cache/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/mnt/md3/cache"
PORTDIR="/mnt/md3/portage"
PORTDIR_OVERLAY="/var/lib/layman/toolchain /var/lib/layman/laurentb /var/lib/layman/wbrana /usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 aac acpi aio alsa amd64 amr apng berkdb bzip2 c++0x cairo caps chm cli consolekit cracklib crypt curl cxx dbus device-mapper dlz dri dts dvb eix enca exif extensions extras faad ffmpeg flac gbm gcj gdbm glib glibc-omitfp glitz gnutls gold graphite gtk gudev handbook hardened hwdb iconv jit jpeg jpeg2k justify lcms libass libkms llvm lm_sensors logrotate lzma matroska mikmod minizip mmx mmxext mng modplug modules mp3 mpeg mudflap multilib multislot ncurses nodrm nptl nsplugin ogg openal opengl openmp pam pax_kernel pch pcntl pcre pcre16 pdf pic png pppd python3 qt qt3support qt4 rar readline rtsp sandbox schroedinger session slang smp spell sqlite sqlite3 sse sse2 sse3 sse4 sse4_1 ssl ssse3 symlink theora threads tiff truetype unicode urandom usb userpriv v4l2 vlc vorbis vpx x264 xcb xcomposite xml xorg xv xvid zlib" ALSA_CARDS="virtuoso" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en_GB" PHP_TARGETS="php5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_2" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="intel" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
Comment 1 Mr. Bones. (RETIRED) gentoo-dev 2013-01-20 00:59:28 UTC 
then use --persist-file to someplace that user can write to.
Comment 2 wbrana 2013-01-20 15:49:07 UTC 
I created directories and used --persist-file and --pidfile, but it wasn't enough.

Error opening control socket, bind() failed; socket='/var/run/syslog-ng.ctl', error='Address already in use (98)'

I had to change ebuild

--- syslog-ng-3.3.5-r1.ebuild	2012-06-08 20:50:14.000000000 +0200
+++ syslog-ng-3.3.5-r131.ebuild	2013-01-19 18:46:01.021751100 +0100
@@ -68,8 +68,8 @@
 		--disable-systemd \
 		--with-ivykis=internal \
 		--sysconfdir=/etc/syslog-ng \
-		--localstatedir=/var/lib/misc \
-		--with-pidfile-dir=/var/run \
+		--localstatedir=/var/lib/misc/syslog \
+		--with-pidfile-dir=/var/run/syslog \
 		--with-module-dir=/usr/$(get_libdir)/syslog-ng \
 		$(use_enable caps linux-caps) \
 		$(use_enable ipv6) \

change /etc/init.d/syslog-ng
from
SYSLOG_NG_PIDFILE=${SYSLOG_NG_PIDFILE:-/var/run/${SVCNAME}.pid}
to
SYSLOG_NG_PIDFILE=${SYSLOG_NG_PIDFILE:-/var/run/syslog/${SVCNAME}.pid}

syslog seems to run now, but it is possible it is still broken
Comment 3 wbrana 2013-01-22 10:26:11 UTC 
/var/run/syslog has to be always created

--- syslog-ng.old	2013-01-19 18:54:51.000000000 +0100
+++ syslog-ng	2013-01-22 11:10:22.844060488 +0100
@@ -13,7 +13,7 @@
 SYSLOG_NG_SERVICE=${SYSLOG_NG_SERVICE:-syslog-ng}
 
 SYSLOG_NG_CONFIGFILE=${SYSLOG_NG_CONFIGFILE:-/etc/syslog-ng/${SYSLOG_NG_SERVICE}.conf}
-SYSLOG_NG_PIDFILE=${SYSLOG_NG_PIDFILE:-/var/run/${SVCNAME}.pid}
+SYSLOG_NG_PIDFILE=${SYSLOG_NG_PIDFILE:-/var/run/syslog/${SVCNAME}.pid}
 SYSLOG_NG_OPTS="--cfgfile ${SYSLOG_NG_CONFIGFILE} --pidfile ${SYSLOG_NG_PIDFILE} ${SYSLOG_NG_OPTS}"
 
 depend() {
@@ -50,6 +50,8 @@
 	checkconfig || return 1
 	ebegin "Starting ${SVCNAME}"
 	[ -n "${SYSLOG_NG_OPTS}" ] && SYSLOG_NG_OPTS="-- ${SYSLOG_NG_OPTS}"
+	mkdir /var/run/syslog
+	chown syslog /var/run/syslog
 	start-stop-daemon --start --pidfile "${SYSLOG_NG_PIDFILE}" --exec /usr/sbin/syslog-ng ${SYSLOG_NG_OPTS}
 	eend $? "Failed to start ${SVCNAME}"
 }
Comment 4 wbrana 2013-01-27 11:48:58 UTC 
Created attachment 337002 [details, diff]
complete patch RC1
Comment 5 wbrana 2013-01-27 14:00:26 UTC 
(In reply to comment #4)
> Created attachment 337002 [details, diff] [details, diff]
> complete patch RC1
It seems syslog running as user syslog isn't safe enough.
Syslog should run in chroot.
Comment 6 wbrana 2013-01-27 16:12:55 UTC 
chroot support in syslog-ng is useless
I replaced syslog-ng with app-admin/sysklogd, which is safe enough without chroot.